HSTS Missing From HTTPS Server (RFC 6797)

noshini1 · June 8, 2023, 11:56pm

Hello,

I am looking to resolve the vulnerability " HSTS Missing From HTTPS Server (RFC 6797)" in Jenkins server. I have seen few recommendations to be done in web.xml file from Tomcat perspective. However, I need better clarity as Jenkins uses its own Java servlet container.
Any help would be appreciated.

Thanks
Noshini

halkeye · June 12, 2023, 5:12am

My recommendation is to add a reverse proxy where you can add https/headers/etc.

You can do a lot of things to jenkins itself, but i always find managing https is a lot easier externally.

ayodeletolu12 · February 15, 2024, 7:55pm

Hi, @noshini1 were you able to remediate this HSTS missing from HTTPS vulnerability? I am in the same shoes now. How were you able to enforce HTTP Strict Transport Security. My Jenkins run on Linux server.

Help will be appreciated

noshini1 · February 16, 2024, 2:25pm

Please try following this link and see if it works for you. I remember we added Strict transport security header in one of the xml files.
https://kinsta.com/knowledgebase/hsts-missing-from-https-server/#:~:text=Sometimes%2C%20an%20IT%20security%20scan,as%20a%20medium%2Drisk%20vulnerability.

Topic		Replies	Views
Unable to get SSL working on Jenkins running on Linux Using Jenkins	2	2462	October 16, 2023
HTTPS not working after jenkins upgrade (only HTTP) Using Jenkins question	1	718	June 9, 2023
How to configure http to https in oracle linux 8 release? Using Jenkins question	3	527	November 14, 2023
Reverse proxy issue with IIS after upgrading to 2.479.1 Ask a question	10	351	January 15, 2025
What is best recommended way to enable https into Jenkins Ask a question	7	608	February 28, 2025

HSTS Missing From HTTPS Server (RFC 6797)

Related topics