topic Re: how to add HSTS max-age=31536000 in CISCO ISE on port 9060 in Web Security

how to add HSTS max-age=31536000 in CISCO ISE on port 9060

ik4693001 — Mon, 28 Mar 2022 20:24:28 GMT

API is enabled on CISCO ISE . Need to know how to add HSTS max-age=31536000 in CISCO ISE on port 9060 used by API to close security port scan vulnerability?

Re: how to add HSTS max-age=31536000 in CISCO ISE on port 9060

Udupi Krishna. — Tue, 29 Mar 2022 02:15:45 GMT

Dont think this a configurable feature, but even its available it may need shell/linux access to ISE to review options.

You may wanna work with TAC to re-confirm this.

Re: how to add HSTS max-age=31536000 in CISCO ISE on port 9060

ik4693001 — Wed, 30 Mar 2022 13:59:04 GMT

Hello Krishna,

Thank you for responding.

I am getting the following HSTS vulnerability detected from Tenable security port scan:

HSTS Missing From HTTPS Server (RFC 6797)

The remote HTTPS server is not enforcing HTTP Strict Transport Security (HSTS).
HSTS is an optional response header that can be configured on the server to instruct
the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks,
SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.

The remote web server is not enforcing HSTS.

Would you please share any other ideas, what else I can try?

Thanks a lot in advance!

Re: how to add HSTS max-age=31536000 in CISCO ISE on port 9060

ivan_abibe — Wed, 22 Feb 2023 14:29:02 GMT

I'm facing the same probem with the vulnerabilty scans even tho I can confirm that any attempt to access Cisco ISE via http gets redirected to https.

The remote HTTPS server does not send the HTTP
"Strict-Transport-Security" header.