Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

HTTPS VIP is failing PCI compliance





A Virtual Service to load balance HTTPS traffic was created but it was failing PCI Compliance.


Product: LoadMaster

Version: Any.

Platform: Any.

Application: IIS

Question/Problem Description:

HTTPS Virtual Service but it is failing PCI Compliance. The scanner says that the HSTS is missing despite the Strict Transport Security Header to include Sub-domains being configured.

Steps to Reproduce:  
Error Message: "HSTS is missing"
Defect Number:  
Enhancement Number:  
Cause: HTST was missing as a response header.
  • The Strict Transport Security option under SSL properties will inject the HSTS header to the server as a request. The client does not see this since this is back-end traffic. 
  • Since the scanner is the client, this is the reason why the VIP was failing PCI Compliance. 
  • To solve this, an Add-Header content rule with the header name Strict-Transport-Security and the value max-age=31536000, includeSubDomains should be created.
  • Then, the content rule needs to applied as a response header under Advanced Properties so it becomes visible to the client. 

Was this article helpful?
0 out of 0 found this helpful