topic Re: Vulnerability - HSTS header does not contain includeSubDomains in Advanced Threat Prevention Discussions

Vulnerability - HSTS header does not contain includeSubDomains

Deepak25 — Mon, 19 Jul 2021 01:56:23 GMT

This vulnerability is detected on global protect public ip.

HSTS header does not contain includeSubDomains

The HTTP Strict Transport Security (HSTS) header does not contain the includeSubDomains directive. This directive instructs the browser to also enforce the HSTS policy over subdomains of this domain.
Expected Headers > strict-transport-security: max-age=[anything]; includeSubDomains; ...
Actual max-age=31536000;

Panos version installled 9.1.7.

anyone aware about this vulnerability and resolution ?

Re: Vulnerability - HSTS header does not contain includeSubDomains

shubhamgupta — Fri, 22 Oct 2021 10:56:32 GMT

Hi @Deepak25

Am also facing the same issue, Did you find any resolution for the same.

Re: Vulnerability - HSTS header does not contain includeSubDomains

ymiyashita — Wed, 27 Oct 2021 01:42:19 GMT

Currently, it's considered as designed since Strict-Transport-Security is only for the Global Protect server itself and we don't have control for the sub domains.
We have a feature request (FR 17182) for this. You may want to contact Palo Alto Networks sales department to add more weight.

Re: Vulnerability - HSTS header does not contain includeSubDomains

MALLIKARJUN-SHIGLI — Tue, 11 Jan 2022 17:36:12 GMT

Any update on the SubDomains, when it's planned for a release.

Re: Vulnerability - HSTS header does not contain includeSubDomains

shubhamgupta — Wed, 12 Jan 2022 18:16:11 GMT

I got this below response from TAC for above vulnerability-

Apologies for delayed response.

We have checked internally and from the information we are not supporting HSTS for subdomain.

We would reach out to your account team to get the feature in Firewall for GP VPN.

As, we raised voting request with our internal team for your Feature request with FR ID: 6826.

Re: Vulnerability - HSTS header does not contain includeSubDomains

Mignone35 — Thu, 27 Jan 2022 11:15:42 GMT

Any update on the SubDomains?

Re: Vulnerability - HSTS header does not contain includeSubDomains

MingWang — Fri, 25 Feb 2022 00:21:49 GMT

I have the same issue too.

And I also want to know does there any update about SubDomins.

Re: Vulnerability - HSTS header does not contain includeSubDomains

MBTNA — Thu, 30 Jun 2022 09:45:18 GMT

I have the same problem

Re: Vulnerability - HSTS header does not contain includeSubDomains

BigPalo — Thu, 14 Jul 2022 10:03:35 GMT

any update? im the same

Re: Vulnerability - HSTS header does not contain includeSubDomains

AllwynMascarenhas — Fri, 05 Aug 2022 06:22:19 GMT

seems like everyones been waiting for long on this one, we got a similar customer request.. anyone checked this in v10?

Re: Vulnerability - HSTS header does not contain includeSubDomains

ElvisJan — Mon, 27 Mar 2023 01:34:40 GMT

Paloalto support portal mentioned the includeSubDomains directive is not relevant to GlobalProtect because it is not a hosted website whereby statically defined. No resolution, it is expected behavior.
GlobalProtect HTTP header missing includeSubDomains in Strict-T... - Knowledge Base - Palo Alto Networks