PowerStore: Vulnerability reported that HSTS is missing, not enforcing
Summary: Vulnerability scanner reports that HTTP Strict Transport Security (HSTS) missing or HTTP security header not detected
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
This vulnerability alert has been reported on PowerStore in Qualys and Nessus scanners: Qualys Identifier (QID) 11827 "HTTP Security Header Not Detected"Nessus 84502 "The remote web server is not enforcing HSTS."Nessus 142960 "HSTS Missing From HTTPS Server (RFC 6797)"
Cause
HTTP Strict Transport Security (HSTS) is an optional response header that can be configured on the server to instruct the browser to only communicate over HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections when using HTTP.
Resolution
When only using HTTPS, there is no redirection hence no need for HSTS. This is a false positive and would not apply to PowerStore when the HTTP to HTTPS redirect is disabled. This is the recommended configuration using our Security best practices document.
HTTP to HTTPS redirect is disabled by default:
Page 63 of the PowerStore Security Configuration Guide
With HTTPS redirect disabled HTTPS is only exposed, HTTP (port 80) is blocked.
HTTP is not supported for security purposes. Enabling the HTTP redirect to HTTPS feature allows users that go to PowerStore Manager to be automatically redirected from HTTP: To https://. However, enabling HTTP redirect is less secure than having users type the full https:// address at the time of PowerStore Manager login.
Enabling or disabling the HTTP redirect to HTTPS feature is a cluster-wide operation.
HTTP to HTTPS redirect is disabled by default:
Page 63 of the PowerStore Security Configuration Guide
With HTTPS redirect disabled HTTPS is only exposed, HTTP (port 80) is blocked.
HTTP is not supported for security purposes. Enabling the HTTP redirect to HTTPS feature allows users that go to PowerStore Manager to be automatically redirected from HTTP: To https://. However, enabling HTTP redirect is less secure than having users type the full https:// address at the time of PowerStore Manager login.
Enabling or disabling the HTTP redirect to HTTPS feature is a cluster-wide operation.
Additional Information
Affected Products
PowerStore 1000X, PowerStore 1000T, PowerStore 1200T, PowerStore 3000X, PowerStore 3000T, PowerStore 3200T, PowerStore 5000X, PowerStore 5000T, PowerStore 500T, PowerStore 5200TProducts
PowerStore 7000X, PowerStore 7000T, PowerStore 9000X, PowerStore 9000T, PowerStore 9200TArticle Properties
Article Number: 000222071
Article Type: Solution
Last Modified: 25 Jul 2025
Version: 3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.