AppSync:远程 HTTPS 服务器不发送 HTTP Strict-Transport-Security (HSTS) 标头。脆弱性

Summary: Tenable Nessus 报告 AppSync 服务器上端口 8444 的错误警报。

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

Tenable Nessus 错误地报告端口 8444 的以下消息,而该端口不存在 CVE: 
The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.

Cause

非戴尔软件报告错误的安全警报。

Resolution

AppSync 工程部门确认这是误报,并向客户保证,在启用 HSTS 的情况下,AppSync 在端口 8444 或 8445 上发布的 API 受到保护。

Additional Information

HTTP 严格传输安全 (HSTS) 是一种简单且得到广泛支持的标准,通过确保访问者的浏览器始终通过 HTTPS 连接到网站来保护访问者。

下面是 AppSync 重定向到的 URL,它自动使用 HTTPS。 
Copyof URL address 
https:  //AppSync01:8444/auth/realms/appsync/protocol/openid-connect/auth?client_id=appsync_  ...

Affected Products

AppSync
Article Properties
Article Number: 000217002
Article Type: Solution
Last Modified: 18 Sep 2025
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.