Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

HTTPS VIP is failing PCI compliance

 

Information

 

Summary:

A Virtual Service to load balance HTTPS traffic was created but it was failing PCI Compliance.

Environment:

Product: LoadMaster

Version: Any.

Platform: Any.

Application: IIS

Question/Problem Description:

HTTPS Virtual Service but it is failing PCI Compliance. The scanner says that the HSTS is missing despite the Strict Transport Security Header to include Sub-domains being configured.

Steps to Reproduce:  
Error Message: "HSTS is missing"
Defect Number:  
Enhancement Number:  
Cause: HTST was missing as a response header.
Resolution:
  • The Strict Transport Security option under SSL properties will inject the HSTS header to the server as a request. The client does not see this since this is back-end traffic. 
  • Since the scanner is the client, this is the reason why the VIP was failing PCI Compliance. 
  • To solve this, an Add-Header content rule with the header name Strict-Transport-Security and the value max-age=31536000, includeSubDomains should be created.
  • Then, the content rule needs to applied as a response header under Advanced Properties so it becomes visible to the client. 
Workaround:  
Notes:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

https://support.kemptechnologies.com/hc/en-us/articles/5143451528077-Content-Rules#:~:text=of%20dependent%20rules.-,3.3.2%20Add%20Header,-The%20Add%20Header


Was this article helpful?
0 out of 0 found this helpful

Comments