[ClusterLabs] HSTS Missing From HTTPS Server on pcs daemon
Tomas Jelinek
tojeline at redhat.com
Tue Apr 4 05:30:54 EDT 2023
Hi S Sathish S,
pcs is sending Strict-Transport-Security header since version
pcs-0.9.168. There were further fixes in pcs-0.10 branch which you can
find in pcs changelog [1]:
* in pcs-0.10.5: Added missing Strict-Transport-Security headers to
redirects
* in pcs-0.10.14: Set 'Strict-Transport-Security: max-age=63072000' HTTP
header for all responses
The only known bug regarding the header is that it is not being sent in
HTTP 404 responses (requests for not-existing URLs). This is already
fixed upstream and the fix will be included in the upcoming pcs release.
If you think the header is missing somewhere else, please provide a
reproducer, so we can take a closer look at it.
Regards,
Tomas
[1]: https://github.com/ClusterLabs/pcs/blob/pcs-0.10/CHANGELOG.md
Dne 03. 04. 23 v 15:37 S Sathish S via Users napsal(a):
> Hi Team,
>
> In our product we are using pcs-0.10.15 version while running tenable
> scan found below vulnerability reported on 2224 pcsd daemon. Moreover we
> have disable PCSD Web UI in our application still vulnerability reported
> in the system.
>
> Plugin ID : 84502
>
> Plugin Name : HSTS Missing From HTTPS Server
>
> Please provide any mitigation plan for this.
>
> Thanks and Regards,
> S Sathish S
>
>
> _______________________________________________
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users
>
> ClusterLabs home: https://www.clusterlabs.org/
More information about the Users
mailing list