VA Scan remediation - HSTS Missing From HTTPS Server

Hi,

I am referencing again on the previous ticket i have raised: INC-A21729

Can you provide the CV Number that states that HSTS should be scanned after Pega login and not before Login.

Also, please confirm that this VA Scan finding is False Positive in Pega.

@JuvanE06 INC-A21729 was investigated by our Global Client Support team and not related to this public community forum.

Your ticket was closed on October 31st 2023

Issue primary reason description:

Missing Response Header

Explanation description:

To mitigate this vulnerability please create a custom header as advised in this article:

https://community.pega.com/knowledgebase/articles/security/85/creating-custom-http-response-header

The values of the header might differ depending on your need.

Please liaise with GCS via the MSP portal.

I have checked and the actual support ticket you appear to be referring to is in fact INC-B13421 (VA Scan remediation - HSTS Missing From HTTPS Server) and our support team are already engaging with you, hence no need to post this question here on the PSC.

@JuvanE06 our support team resolved your ticket INC-B13421.

The question here is whether the request headers are being set by the application server or application ? As per the screen shot of the existing custom response headers configured in the application, we have set the strict-transport-security at application level.

But from the headers before login, we could see the X-Frame-Options, X-Content -Type -Options etc in the headers which are not configured at application level and indicates , these might be configured at application server lever. So, requested you to validate the configurations are application server level.

Issue primary reason description:
Application is no more vulnerable to HSTS as , HSTS is being handled at application level as a part of custom response headers.

Explanation description:
Please refer below doc on how to configure and to know how application is secured using response headers.