Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1797
Views
0
Helpful
3
Replies

how to add HSTS max-age=31536000 in CISCO ISE on port 9060

ik4693001
Level 1
Level 1

‎03-28-2022 01:24 PM

API is enabled on CISCO ISE . Need to know how to add HSTS max-age=31536000 in CISCO ISE on port 9060 used by API to close security port scan vulnerability?

Labels:
0 Helpful
3 Replies 3

Udupi Krishna.
Cisco Employee
Cisco Employee

‎03-28-2022 07:13 PM - edited ‎03-28-2022 07:15 PM

Dont think this a configurable feature, but even its available it may need shell/linux access to ISE to review options.

You may wanna work with TAC to re-confirm this.

0 Helpful

ik4693001
Level 1
Level 1

‎03-30-2022 06:59 AM

Hello Krishna,

 

Thank you for responding.

 

I am getting the following HSTS vulnerability detected from Tenable security port scan:

 

HSTS Missing From HTTPS Server (RFC 6797)

 

The remote HTTPS server is not enforcing HTTP Strict Transport Security (HSTS).
HSTS is an optional response header that can be configured on the server to instruct
the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks,
SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.

 

The remote web server is not enforcing HSTS.

 

Would you please share any other ideas, what else I can try?

 

Thanks a lot in advance!

0 Helpful

ivan_abibe
Level 1
Level 1

‎02-22-2023 06:29 AM

I'm facing the same probem with the vulnerabilty scans even tho I can confirm that any attempt to access Cisco ISE via http gets redirected to https. 

The remote HTTPS server does not send the HTTP
"Strict-Transport-Security" header.

0 Helpful
Customers Also Viewed These Support Documents