VA Scan remediation - HSTS Missing From HTTPS Server
Hi,
I am referencing again on the previous ticket i have raised: INC-A21729 Can you provide the CV Number that states that HSTS should be scanned after Pega login and not before Login.
Also, please confirm that this VA Scan finding is False Positive in Pega.
| Configure the remote web server to use HSTS. |
| Configure the remote web server to use HSTS. |
| Plugin Output: HTTP/1.1 302 Set-Cookie: JSESSIONID=FF724035664AE00B7B4BF933D90F7847.; Path=/; Secure; HttpOnly Location: https://<IPADDRESS>/prweb Content-Type: text/html Content-Length: 0 Date: Sun, 31 Mar 2024 13:02:51 GMT Connection: close The remote HTTPS server does not send the HTTP ""Strict-Transport-Security"" header. |
***Edited by Moderator Marije to add correct open INC-B13421 for same question ***
Accepted Solution
Updated: 23 Apr 2024 8:12 EDT
Pegasystems Inc.
GB
@JuvanE06 our support team resolved your ticket INC-B13421.
The question here is whether the request headers are being set by the application server or application ? As per the screen shot of the existing custom response headers configured in the application, we have set the strict-transport-security at application level.
But from the headers before login, we could see the X-Frame-Options, X-Content -Type -Options etc in the headers which are not configured at application level and indicates , these might be configured at application server lever. So, requested you to validate the configurations are application server level.
Issue primary reason description: Application is no more vulnerable to HSTS as , HSTS is being handled at application level as a part of custom response headers.
Explanation description: Please refer below doc on how to configure and to know how application is secured using response headers. https://docs-previous.pega.com/security/85/using-http-response-headers
Updated: 8 Apr 2024 9:04 EDT
Pegasystems Inc.
GB
@JuvanE06 INC-A21729 was investigated by our Global Client Support team and not related to this public community forum.
Your ticket was closed on October 31st 2023
------------------------------------------------
Issue primary reason description:
Missing Response Header
Explanation description:
To mitigate this vulnerability please create a custom header as advised in this article:
https://community.pega.com/knowledgebase/articles/security/85/creating-custom-http-response-header
The values of the header might differ depending on your need.
--------------------------------------------------
Please liaise with GCS via the MSP portal.
I have checked and the actual support ticket you appear to be referring to is in fact INC-B13421 (VA Scan remediation - HSTS Missing From HTTPS Server) and our support team are already engaging with you, hence no need to post this question here on the PSC.
Accepted Solution
Updated: 23 Apr 2024 8:12 EDT
Pegasystems Inc.
GB
@JuvanE06 our support team resolved your ticket INC-B13421.
The question here is whether the request headers are being set by the application server or application ? As per the screen shot of the existing custom response headers configured in the application, we have set the strict-transport-security at application level.
But from the headers before login, we could see the X-Frame-Options, X-Content -Type -Options etc in the headers which are not configured at application level and indicates , these might be configured at application server lever. So, requested you to validate the configurations are application server level.
Issue primary reason description: Application is no more vulnerable to HSTS as , HSTS is being handled at application level as a part of custom response headers.
Explanation description: Please refer below doc on how to configure and to know how application is secured using response headers. https://docs-previous.pega.com/security/85/using-http-response-headers