Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

HTTPS VIP is failing PCI compliance

Updated: July 14, 2023 19:39

Information

Summary:	A Virtual Service to load balance HTTPS traffic was created but it was failing PCI Compliance.
Environment:	Product: LoadMaster Version: Any. Platform: Any. Application: IIS
Question/Problem Description:	HTTPS Virtual Service but it is failing PCI Compliance. The scanner says that the HSTS is missing despite the Strict Transport Security Header to include Sub-domains being configured.
Steps to Reproduce:
Error Message:	"HSTS is missing"
Defect Number:
Enhancement Number:
Cause:	HTST was missing as a response header.
Resolution:	The Strict Transport Security option under SSL properties will inject the HSTS header to the server as a request. The client does not see this since this is back-end traffic. Since the scanner is the client, this is the reason why the VIP was failing PCI Compliance. To solve this, an Add-Header content rule with the header name Strict-Transport-Security and the value max-age=31536000, includeSubDomains should be created. Then, the content rule needs to applied as a response header under Advanced Properties so it becomes visible to the client.
Workaround:
Notes:	https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security https://support.kemptechnologies.com/hc/en-us/articles/5143451528077-Content-Rules#:~:text=of%20dependent%20rules.-,3.3.2%20Add%20Header,-The%20Add%20Header

Was this article helpful?

0 out of 0 found this helpful

Comments

In this document