[ClusterLabs] HSTS Missing From HTTPS Server on pcs daemon

Tomas Jelinek tojeline at redhat.com
Tue Apr 4 05:30:54 EDT 2023

Hi S Sathish S,

pcs is sending Strict-Transport-Security header since version 
pcs-0.9.168. There were further fixes in pcs-0.10 branch which you can 
find in pcs changelog [1]:
* in pcs-0.10.5: Added missing Strict-Transport-Security headers to 
* in pcs-0.10.14: Set 'Strict-Transport-Security: max-age=63072000' HTTP 
header for all responses

The only known bug regarding the header is that it is not being sent in 
HTTP 404 responses (requests for not-existing URLs). This is already 
fixed upstream and the fix will be included in the upcoming pcs release.

If you think the header is missing somewhere else, please provide a 
reproducer, so we can take a closer look at it.


[1]: https://github.com/ClusterLabs/pcs/blob/pcs-0.10/CHANGELOG.md

Dne 03. 04. 23 v 15:37 S Sathish S via Users napsal(a):
> Hi Team,
> In our product we are using pcs-0.10.15 version while running tenable 
> scan found below vulnerability reported on 2224 pcsd daemon. Moreover we 
> have disable PCSD Web UI in our application still vulnerability reported 
> in the system.
> Plugin ID : 84502
> Plugin Name : HSTS Missing From HTTPS Server
> Please provide any mitigation plan for this.
> Thanks and Regards,
> S Sathish S
> _______________________________________________
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users
> ClusterLabs home: https://www.clusterlabs.org/

More information about the Users mailing list