Strict-Transport-Security Header Missing #988
Comments
|
you are encountering an issue with your Nessus Scan, which is reporting that your EPR hosting on Podman is missing the HTTP Strict Transport Security (HSTS) header. HSTS is a widely supported standard that helps protect website visitors by ensuring that their browser always connects using an HTTPS connection
This configuration sets the HSTS header with a max-age of 31536000 seconds, which means that the browser should remember that the site can be accessed only using HTTPS for one year . The includeSubDomains directive ensures that all subdomains of your site are also protected by HSTS, while the preload directive adds your site to the HSTS preload list maintained by Google Chrome and other browsers. Since you are using Podman instead of Apache, you may need to modify this configuration to work with your specific setup |
|
Hi There is no apache service inside the EPR Image. I suspect that the package registry was bundled as a single binary. How can i provide the command to the package registry? |
Hi, I encountered a Nessus Scan issue stating HSTS Missing From HTTPS Server (RFC 6797) from EPR hosting on Podman.
Podman Version: 4.20
EPR Version: 8.6.1
RHEL Version: 9.1
Is there anyway i can set the following configuration : header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" to the EPR? This Configuration work for my HTTPS Apache Server.
The text was updated successfully, but these errors were encountered: