Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Vulnerability: HSTS Missing From HTTPS Server
#1
Information 
I have an application built with IW 15.8.2 that is currently undergoing PCI version 3.2.1 DSS level 1 certification and it has failed on the following:
Quote:Part 2. Vulnerability Details
Component: [web address removed]
Compliance Status: Fail
Detected Open Port: TCP port 443
CVE Number (None)
CVSSScore: 5.8
Severity Level: Medium
Vulnerability: HSTS Missing From HTTPS Server
Details Synopsis: The remote web server is not enforcing HSTS.
Impact: The remote HTTPS server is not enforcing HTTP Strict Transport Security (HSTS). HSTS is an optional response header
that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade
attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections. 
See also :https://tools.ietf.org/html/rfc6797
Data Received: The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.
Resolution: Configure the remote web server to use HSTS.


Is there an IW setting to enforce this or do I just add the custom header "Strict-Transport-Security: max-age=<expire-time>" in ServerController OnNewSession

TIA
Reply
#2
Hi, read here: https://www.atozed.com/forums/thread-130...ml#pid4475
Reply
#3
Hi Zane,

You can set this using OnAfterDispatch event. Anyway, we will be introducing an option to set this automatically when using HTTPS, via ServerController properties. It should be available in the next release.

Kind regards,
Reply
#4
(10-26-2020, 10:16 AM)Alexandre Machado Wrote: Hi Zane,

You can set this using OnAfterDispatch event. Anyway, we will be introducing an option to set this automatically when using HTTPS, via ServerController properties. It should be available in the next release.

Kind regards,

Thanks Alexandre.

I look forward to it.
Reply
#5
Zane please check your email. Our admin has been trying to reach you regarding your license.
Reply
#6
Hi Zane,

please update to IW 15.2.20 which implements the HTST functionality out of the box
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)