HTTP Security Header - HTTP Strict Transport Security (HSTS) Missing From HTTPS Server (RFC 6797)

HTTP Security Header - HTTP Strict Transport Security (HSTS) Missing From HTTPS Server (RFC 6797)

9158
Created On 03/17/23 14:18 PM - Last Modified 04/22/24 06:57 AM


Symptom


  • During the Pentest scanning of PAN-OS 10.2.x, HTTP Security header is reported as missing.
  • This can be checked with the curl command.
test-host-> curl -I -k https://w.x.y.z
HTTP/1.1 302 Found
Date: Fri, 17 Mar 2023 13:53:28 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: PHPSESSID=d90l0umcr2s5b74jkvc12l0orr; path=/; secure; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: /php/login.php?
Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS
  • The above header output does not show "Strict-Transport-Security" but it also redirects the page to /php/login.php with HTTP 302 Found.
  • While checking the headers in the redirected page /php/loginphp, it displays the security header  "Strict-Transport-Security: max-age=31536000" as shown below.
test-host-> curl -I -k https://w.x.y.z/php/login.php
HTTP/1.1 200 OK
Date: Fri, 17 Mar 2023 13:53:54 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'self'
Strict-Transport-Security: max-age=31536000 <<<<-----
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Set-Cookie: PHPSESSID=6jp2219a8dfev8djdulc4eqats; path=/; secure; HttpOnly; SameSite=strict
Set-Cookie: PHPSESSID=6jp2219a8dfev8djdulc4eqats; path=/; secure; HttpOnly; SameSite=strict
Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS

Environment


  • Palo Alto Firewalls
  • PanOS 10.2.x
  • Management Interface
  • HTTPS

Cause


The root URL of the management interface is missing the following security header from the base URL. 
Strict-Transport-Security: max-age=31536000

Resolution


  1. The root URL does 302 redirects to the login page which has the "Strict-Transport-Security" header.
  2. There is no vulnerability or risk since the redirected page has the "Strict-Transport-Security".
  3. The issue has been addressed in the PAN-OS 10.2.4 /11.0.0 release and later.

Additional Information


It is not an issue in 8.0.18, 8.1.9, 9.0.4, and 9.1.5, in 10.1.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sb6ECAQ&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language