GlobalProtect HTTP header missing includeSubDomains in Strict-Transport-Security
16732
Created On 08/03/21 03:08 AM - Last Modified 01/21/22 22:48 PM
Symptom
When performing Vulnerability Assessment (VA) against GlobalProtect Portal, the Strict-Transport-Security does not include the includeSubDomains parameter. This often triggers a false positive during reporting.
Cause
Globalprotect FQDN for the portal varies and is manually defined according to each organization's domains registration/authority. Therefore, no includeSubDomains is defined in Strict-Transport-Security.
Explanation:
The includeSubDomains is an optional attribute to include HTTPS support to all subdomains. It's an optional requirement.
GlobalProtect will enforce HTTPS whenever redirecting an HTTP request to the Portal as compliance with HTTP Strict Transport Security (HSTS).
- When accessing Hosted GlobalProtect Portal via HTTP for the first time, the server (Portal) will respond with 301 Moved Permanently to the HTTPS site
- Subsequently, accessing the same HTTP would allow the browser to redirect requests with 307 Redirection since HSTS is enabled
- The subsequent HTTP request would not be forwarded to the Firewall (GP Portal)
- The Browser will remember the initial request which would not forward the request to the server in the length of the "max-age"
- Note: The same approach would not be applied for all subdomains.
The includeSubDomains directive is not relevant to GlobalProtect because it is not a hosted website whereby statically defined.
Resolution
No resolution, it is expected behavior.
Additional Information
To verify the HTTP header on GlobalProtect, use curl/wget command or navigate to the Browser's Developer tool when accessing the GlobalProtect Portal.