Symptoms
Nessus scanner and Chrome Web Developer tools show HSTS TTL as 15,780,000 seconds (6 Months).
Security requires this to be at least 31536000 (1 Year).
Cause
This is an issue with Nessus scanner and web tools not reporting correct information.
Resolution
This is usually a false positive as the default setting in DPC for HSTS is 63072000 (2 Years).To check the settings log into the DPC via SSH/Putty as admin and su - to root, and run the following command:
curl -k -i https:// |less
Where is the FQDN of the DPC server.You will get an output like the following:
Server: nginx
Date: Wed, 22 Nov 2023 19:52:17 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 648123
Connection: keep-alive
X-DNS-Prefetch-Control: off
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Download-Options: noopen
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Mon, 11 Sep 2023 12:07:27 GMT
ETag: W/"9e3bb-18a8423b418"
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=63072000; includeSubdomains;
Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; default-src 'self' 'unsafe-inline' data:; script-src 'self' 'unsafe-inline';
The 'Strict-Transport-Security: max-age=63072000; includeSubdomains;' line shows that this is set to 63072000 seconds or 2 years.You can also check the /etc/nginx/conf.d/default.conf file, you will see the following sections showing the max-age:Below is the output from the web Developer tools in Chrome for the same system as above:
