how to add HSTS max-age=31536000 in CISCO ISE on port 9060

ik4693001 · ‎03-28-2022

API is enabled on CISCO ISE . Need to know how to add HSTS max-age=31536000 in CISCO ISE on port 9060 used by API to close security port scan vulnerability?

UdupiKrishna · ‎03-28-2022

Dont think this a configurable feature, but even its available it may need shell/linux access to ISE to review options.

You may wanna work with TAC to re-confirm this.

ik4693001 · ‎03-30-2022

Hello Krishna,

Thank you for responding.

I am getting the following HSTS vulnerability detected from Tenable security port scan:

HSTS Missing From HTTPS Server (RFC 6797)

The remote HTTPS server is not enforcing HTTP Strict Transport Security (HSTS).
HSTS is an optional response header that can be configured on the server to instruct
the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks,
SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.

The remote web server is not enforcing HSTS.

Would you please share any other ideas, what else I can try?

Thanks a lot in advance!

ivan_abibe · ‎02-22-2023

I'm facing the same probem with the vulnerabilty scans even tho I can confirm that any attempt to access Cisco ISE via http gets redirected to https.

The remote HTTPS server does not send the HTTP
"Strict-Transport-Security" header.