Symptoms

Nessus scanner and Chrome Web Developer tools show HSTS TTL as 15,780,000 s (six Months). Security requires this to be at least 31536000 (one Year). 

Cause

This is an issue with Nessus scanner and web tools not reporting correct information. 

Resolution

This is usually a false positive as the default setting in DPC for HSTS is 63072000 (two Years).To check the settings, log in to the DPC using SSH/Putty as admin and su - to root, and run the following command: curl -k -i https://<DPCFQDN> |less Where <DPCFQDN> is the FQDN of the DPC server.You get an output like the following: Server: nginx Date: Wed, 22 Nov 2023 19:52:17 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 648123 Connection: keep-alive X-DNS-Prefetch-Control: off X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=15552000; includeSubDomains X-Download-Options: noopen X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Accept-Ranges: bytes Cache-Control: public, max-age=0 Last-Modified: Mon, 11 Sep 2023 12:07:27 GMT ETag: W/"9e3bb-18a8423b418" Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=63072000; includeSubdomains; Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; default-src 'self' 'unsafe-inline' data:; script-src 'self' 'unsafe-inline'; The 'Strict-Transport-Security: max-age=63072000; includeSubdomains;' line shows that this is set to 63072000 s or 2 years.You can also check the /etc/nginx/conf.d/default.conf file, you see the following sections showing the max-age:Below is the output from the web Developer tools in Chrome for the same system as above:

Support Cases