Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

  1. Kemp Support
  2. Knowledge Base
  3. Content Delivery

HTTPS VIP is failing PCI compliance

Updated

 

Information

 

Summary:

A Virtual Service to load balance HTTPS traffic was created but it was failing PCI Compliance.
Environment:

Product: LoadMaster

Version: Any.

Platform: Any.

Application: IIS
Question/Problem Description:

HTTPS Virtual Service but it is failing PCI Compliance. The scanner says that the HSTS is missing despite the Strict Transport Security Header to include Sub-domains being configured.
Steps to Reproduce:  
Error Message: "HSTS is missing"
Defect Number:  
Enhancement Number:  
Cause: HTST was missing as a response header.
Resolution:
  • The Strict Transport Security option under SSL properties will inject the HSTS header to the server as a request. The client does not see this since this is back-end traffic. 
  • Since the scanner is the client, this is the reason why the VIP was failing PCI Compliance. 
  • To solve this, an Add-Header content rule with the header name Strict-Transport-Security and the value max-age=31536000, includeSubDomains should be created.
  • Then, the content rule needs to applied as a response header under Advanced Properties so it becomes visible to the client. 
Workaround:  
Notes:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

https://support.kemptechnologies.com/hc/en-us/articles/5143451528077-Content-Rules#:~:text=of%20dependent%20rules.-,3.3.2%20Add%20Header,-The%20Add%20Header

Comments

In this document