HSTS Missing From HTTPS Server (RFC 6797)

noshini1 · June 8, 2023, 11:56pm

Hello,

I am looking to resolve the vulnerability " HSTS Missing From HTTPS Server (RFC 6797)" in Jenkins server. I have seen few recommendations to be done in web.xml file from Tomcat perspective. However, I need better clarity as Jenkins uses its own Java servlet container.
Any help would be appreciated.

Thanks
Noshini

halkeye · June 12, 2023, 5:12am

My recommendation is to add a reverse proxy where you can add https/headers/etc.

You can do a lot of things to jenkins itself, but i always find managing https is a lot easier externally.

ayodeletolu12 · February 15, 2024, 7:55pm

Hi, @noshini1 were you able to remediate this HSTS missing from HTTPS vulnerability? I am in the same shoes now. How were you able to enforce HTTP Strict Transport Security. My Jenkins run on Linux server.

Help will be appreciated

noshini1 · February 16, 2024, 2:25pm

Please try following this link and see if it works for you. I remember we added Strict transport security header in one of the xml files.
https://kinsta.com/knowledgebase/hsts-missing-from-https-server/#:~:text=Sometimes%2C%20an%20IT%20security%20scan,as%20a%20medium%2Drisk%20vulnerability.

Topic		Replies	Views
Unable to get SSL working on Jenkins running on Linux Using Jenkins	2	877	October 16, 2023
HTTPS not working after jenkins upgrade (only HTTP) Using Jenkins question	1	492	June 9, 2023
How to configure http to https in oracle linux 8 release? Using Jenkins question	3	294	November 14, 2023
Jenkins refuses to serve jks keystore, claiming it's invalid Ask a question	2	1259	July 12, 2022
There were errors checking the update sites Ask a question	2	2463	November 2, 2023

HSTS Missing From HTTPS Server (RFC 6797)

Related Topics