Loading...
Loading...
Nessus scanner and Chrome Web Developer tools show HSTS TTL as 15,780,000 s (six Months). Security requires this to be at least 31536000 (one Year).
This is an issue with Nessus scanner and web tools not reporting correct information.
This is usually a false positive as the default setting in DPC for HSTS is 63072000 (two Years). To check the settings, log in to the DPC using SSH/Putty as admin and su - to root, and run the following command: curl -k -i https://<DPCFQDN> |less Where <DPCFQDN> is the FQDN of the DPC server. You get an output like the following: Server: nginx Date: Wed, 22 Nov 2023 19:52:17 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 648123 Connection: keep-alive X-DNS-Prefetch-Control: off X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=15552000; includeSubDomains X-Download-Options: noopen X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Accept-Ranges: bytes Cache-Control: public, max-age=0 Last-Modified: Mon, 11 Sep 2023 12:07:27 GMT ETag: W/"9e3bb-18a8423b418" Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=63072000; includeSubdomains; Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; default-src 'self' 'unsafe-inline' data:; script-src 'self' 'unsafe-inline'; The ' Strict-Transport-Security: max-age=63072000; includeSubdomains ;' line shows that this is set to 63072000 s or 2 years. You can also check the /etc/nginx/conf.d/default.conf file, you see the following sections showing the max-age: Below is the output from the web Developer tools in Chrome for the same system as above:
Click on a version to see all relevant bugs
Dell Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.