CloudLink:远程 HTTPS 服务器未强制实施 HTTP 严格传输安全性 (HSTS)
Summary: CloudLink:安全扫描报告“远程 HTTPS 服务器未强制实施 HTTP 严格传输安全 (HSTS)”
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
CloudLink:安全扫描报告:
The remote HTTPS server is not enforcing HTTP Strict Transport Security (HSTS) The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header
HSTS 是一个可选的响应标头,可在服务器上配置,以指示浏览器仅使用 HTTPS 进行通信。缺少 HSTS 允许降级攻击、SSL 剥离中间人攻击,并削弱 cookie 劫持保护。
Cause
这似乎是安全工具报告的误报。
默认情况下,HSTS 在 CloudLink 上处于启用状态。
要确认,请在 Chrome 中查看 CloudLink HTTP 标头,并执行以下作:
默认情况下,HSTS 在 CloudLink 上处于启用状态。
要确认,请在 Chrome 中查看 CloudLink HTTP 标头,并执行以下作:
- Navigate to the Cloudlink UI login page. - Right click on white empty space and select 'Inspect'. - Select the 'Network' tab. - Select one of the Cloudlink HTTP requests on the left panel. - Match the response headers you're seeing to what we expect to see from the KB article
Resolution
HTTP 响应包含所有标头,默认情况下由 https://docs.spring.io/autorepo/docs/spring-security/4.2.3.RELEASE/reference/html/headers.html 设置
HTTP/1.1 200 OK Date: Fri, 22 May 2020 11:51:57 GMT Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Content-Type: text/html Last-Modified: Tue, 10 Sep 2019 17:33:22 GMT Accept-Ranges: bytes Vary: Accept-Encoding, User-Agent ETag: W/"C/NxCAz49KYC/NwZBDEXzM" Content-Length: 1349
Affected Products
CloudLink SecureVM, CloudLinkArticle Properties
Article Number: 000181096
Article Type: Solution
Last Modified: 09 Feb 2026
Version: 5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.