HTTP Strict Transport Security (HSTS) missing from HTTPS server (RFC 6797) on EAP

Solution Verified - Updated -

Issue

  • Nessus security scanner detects the vulnerability, HSTS missing from HTTPS server (RFC 6797), on the node using standalone.xml profile.
  • Tried to set Strict-Transport-Security header filter to the Undertow subsystem, and also to the management http interface, but scanner still detects RFC 6797.
  • How to enable HSTS for management interfaces in JBoss EAP ?

Environment

  • Red Hat Enterprise Application Platform (EAP)
    • 7.4
  • Red Hat Enterprise Linux (RHEL)
    • 8.6

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content