AppSync: The Remote HTTPS Server Does Not Send the HTTP Strict-Transport-Security (HSTS) header. Vulnerability
Zusammenfassung: False alerts reported by Tenable Nessus for port 8444 on AppSync server.
Dieser Artikel gilt für
Dieser Artikel gilt nicht für
Dieser Artikel ist nicht an ein bestimmtes Produkt gebunden.
In diesem Artikel werden nicht alle Produktversionen aufgeführt.
Symptome
Tenable Nessus incorrectly reports the following message for port 8444, for which no CVE exists:
The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.
Ursache
Non-Dell Software reports a false security alarm.
Lösung
AppSync Engineering confirmed that this is a false alarm and assures customers that AppSync published APIs on ports 8444 or 8445 are protected with HSTS enabled.
Weitere Informationen
HTTP Strict Transport Security (HSTS) is a simple, widely supported standard to protect visitors by ensuring that their browsers always connect to a website over HTTPS.
Here is the URL that AppSync redirects to, and it automatically is using HTTPS.
Here is the URL that AppSync redirects to, and it automatically is using HTTPS.
Copyof URL address https: //AppSync01:8444/auth/realms/appsync/protocol/openid-connect/auth?client_id=appsync_ ...
Betroffene Produkte
AppSyncArtikeleigenschaften
Artikelnummer: 000217002
Artikeltyp: Solution
Zuletzt geändert: 18 Sept. 2025
Version: 4
Antworten auf Ihre Fragen erhalten Sie von anderen Dell NutzerInnen
Support Services
Prüfen Sie, ob Ihr Gerät durch Support Services abgedeckt ist.