Hi,
We have applied HSTS Settings on our Pega server as advised on this Inc - INC-A21729.
But the vulnerability is still flagging out in our VA Scan report. Please advise
Regards,
Juvan Etong
@JuvanE06 INC-A21729 was logged against Pega Care Management 7.4 and was closed October last year after suggesting you follow the Security configuration article Creating a custom HTTP response header.
Please log a new support incident via the MSP in order that the same team can help you further, as the advice in the article is for Pega 8.5 and not 7.4.
I have just checked - you appear to already have logged a ticket. Is INC-B1743 (VA Scan remediation - HSTS Missing From HTTPS Server) the new ticket you logged with support? Kindly provide these details when you submit questions on the forum, as this helps us track ongoing investigations…
@JuvanE06 I can see that INC-B1743 was closed as there was no response for a week.
Our support team reiterated analysis from the INC-A21729 that you should have the HSTS enabled in your application. They checked the details of your custom headers configuration DSS and requested the har file of the requests where Pega does not send the headers
Please select the Fetch/XHR requests and check the response headers
-
This is to Check the network trace after login - Not before login
-
Custom headers should be added Using DSS
We are assuming that the issue is now resolved. Please reopen your GCS ticket if you need to provide new findings.