CloudLink:远程 HTTPS 服务器未强制实施 HTTP 严格传输安全性 (HSTS)
Samenvatting: CloudLink:安全扫描报告“远程 HTTPS 服务器未强制实施 HTTP 严格传输安全 (HSTS)”
Dit artikel is van toepassing op
Dit artikel is niet van toepassing op
Dit artikel is niet gebonden aan een specifiek product.
Niet alle productversies worden in dit artikel vermeld.
Symptomen
CloudLink:安全扫描报告:
The remote HTTPS server is not enforcing HTTP Strict Transport Security (HSTS) The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header
HSTS 是一个可选的响应标头,可在服务器上配置,以指示浏览器仅使用 HTTPS 进行通信。缺少 HSTS 允许降级攻击、SSL 剥离中间人攻击,并削弱 cookie 劫持保护。
Oorzaak
这似乎是安全工具报告的误报。
默认情况下,HSTS 在 CloudLink 上处于启用状态。
要确认,请在 Chrome 中查看 CloudLink HTTP 标头,并执行以下作:
默认情况下,HSTS 在 CloudLink 上处于启用状态。
要确认,请在 Chrome 中查看 CloudLink HTTP 标头,并执行以下作:
- Navigate to the Cloudlink UI login page. - Right click on white empty space and select 'Inspect'. - Select the 'Network' tab. - Select one of the Cloudlink HTTP requests on the left panel. - Match the response headers you're seeing to what we expect to see from the KB article
Oplossing
HTTP 响应包含所有标头,默认情况下由 https://docs.spring.io/autorepo/docs/spring-security/4.2.3.RELEASE/reference/html/headers.html 设置
HTTP/1.1 200 OK Date: Fri, 22 May 2020 11:51:57 GMT Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Content-Type: text/html Last-Modified: Tue, 10 Sep 2019 17:33:22 GMT Accept-Ranges: bytes Vary: Accept-Encoding, User-Agent ETag: W/"C/NxCAz49KYC/NwZBDEXzM" Content-Length: 1349
Getroffen producten
CloudLink SecureVM, CloudLinkArtikeleigenschappen
Artikelnummer: 000181096
Artikeltype: Solution
Laatst aangepast: 09 feb. 2026
Versie: 5
Vind antwoorden op uw vragen via andere Dell gebruikers
Support Services
Controleer of uw apparaat wordt gedekt door Support Services.