AppSync: The Remote HTTPS Server Does Not Send the HTTP Strict-Transport-Security (HSTS) header. Vulnerability
Summary: False alerts reported by Tenable Nessus for port 8444 on AppSync server.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
Tenable Nessus incorrectly reports the following message for port 8444, for which no CVE exists:
The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.
Cause
Non-Dell Software reports a false security alarm.
Resolution
AppSync Engineering confirmed that this is a false alarm and assures customers that AppSync published APIs on ports 8444 or 8445 are protected with HSTS enabled.
Additional Information
HTTP Strict Transport Security (HSTS) is a simple, widely supported standard to protect visitors by ensuring that their browsers always connect to a website over HTTPS.
Here is the URL that AppSync redirects to, and it automatically is using HTTPS.
Here is the URL that AppSync redirects to, and it automatically is using HTTPS.
Copyof URL address https: //AppSync01:8444/auth/realms/appsync/protocol/openid-connect/auth?client_id=appsync_ ...
Affected Products
AppSyncArticle Properties
Article Number: 000217002
Article Type: Solution
Last Modified: 18 Sept 2025
Version: 4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.