[ClusterLabs] HSTS Missing From HTTPS Server on pcs daemon
tojeline at redhat.com
Tue Apr 4 05:30:54 EDT 2023
Hi S Sathish S,
pcs is sending Strict-Transport-Security header since version
pcs-0.9.168. There were further fixes in pcs-0.10 branch which you can
find in pcs changelog :
* in pcs-0.10.5: Added missing Strict-Transport-Security headers to
* in pcs-0.10.14: Set 'Strict-Transport-Security: max-age=63072000' HTTP
header for all responses
The only known bug regarding the header is that it is not being sent in
HTTP 404 responses (requests for not-existing URLs). This is already
fixed upstream and the fix will be included in the upcoming pcs release.
If you think the header is missing somewhere else, please provide a
reproducer, so we can take a closer look at it.
Dne 03. 04. 23 v 15:37 S Sathish S via Users napsal(a):
> Hi Team,
> In our product we are using pcs-0.10.15 version while running tenable
> scan found below vulnerability reported on 2224 pcsd daemon. Moreover we
> have disable PCSD Web UI in our application still vulnerability reported
> in the system.
> Plugin ID : 84502
> Plugin Name : HSTS Missing From HTTPS Server
> Please provide any mitigation plan for this.
> Thanks and Regards,
> S Sathish S
> Manage your subscription:
> ClusterLabs home: https://www.clusterlabs.org/
More information about the Users