cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1184
Views
0
Helpful
3
Replies

how to add HSTS max-age=31536000 in CISCO ISE on port 9060

ik4693001
Beginner
Beginner

API is enabled on CISCO ISE . Need to know how to add HSTS max-age=31536000 in CISCO ISE on port 9060 used by API to close security port scan vulnerability?

3 Replies 3

UdupiKrishna
Cisco Employee
Cisco Employee

Dont think this a configurable feature, but even its available it may need shell/linux access to ISE to review options.

You may wanna work with TAC to re-confirm this.

ik4693001
Beginner
Beginner

Hello Krishna,

 

Thank you for responding.

 

I am getting the following HSTS vulnerability detected from Tenable security port scan:

 

HSTS Missing From HTTPS Server (RFC 6797)

 

The remote HTTPS server is not enforcing HTTP Strict Transport Security (HSTS).
HSTS is an optional response header that can be configured on the server to instruct
the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks,
SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.

 

The remote web server is not enforcing HSTS.

 

Would you please share any other ideas, what else I can try?

 

Thanks a lot in advance!

ivan_abibe
Beginner
Beginner

I'm facing the same probem with the vulnerabilty scans even tho I can confirm that any attempt to access Cisco ISE via http gets redirected to https. 

The remote HTTPS server does not send the HTTP
"Strict-Transport-Security" header.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers