This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Vulnerability - HSTS header does not contain includeSubDomains

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Vulnerability - HSTS header does not contain includeSubDomains

Deepak25
L3 Networker

‎07-18-2021 06:18 PM - edited ‎07-18-2021 06:56 PM

This vulnerability is detected on global protect public ip.

 

HSTS header does not contain includeSubDomains

The HTTP Strict Transport Security (HSTS) header does not contain the includeSubDomains directive. This directive instructs the browser to also enforce the HSTS policy over subdomains of this domain.
Expected Headers > strict-transport-security: max-age=[anything]; includeSubDomains; ...
Actual max-age=31536000;

 

Panos version installled 9.1.7.

 

anyone aware about this vulnerability and resolution ?

1 person had this problem.
(1)
10 REPLIES 10

shubhamgupta
L1 Bithead

‎10-22-2021 03:56 AM

Hi @Deepak25 

 

Am also facing the same issue, Did you find any resolution for the same.

 

 

0 Likes Likes

ymiyashita
L5 Sessionator

‎10-26-2021 06:42 PM

Currently, it's considered as designed since Strict-Transport-Security is only for the Global Protect server itself and we don't have control for the sub domains.
We have a feature request (FR 17182) for this. You may want to contact Palo Alto Networks sales department to add more weight.

MALLIKARJUN-SHIGLI
L0 Member
In response to ymiyashita

‎01-11-2022 09:36 AM

Any update on the SubDomains, when it's planned for a release.

0 Likes Likes

shubhamgupta
L1 Bithead

‎01-12-2022 10:16 AM

I got this below response from TAC for above vulnerability-

 

Apologies for delayed response.

We have checked internally and from the information we are not supporting HSTS for subdomain.

We would reach out to your account team to get the feature in Firewall for GP VPN.

As, we raised voting request with our internal team for your Feature request with FR ID: 6826.

Mignone35
L0 Member

‎01-27-2022 03:15 AM

Any update on the SubDomains?

0 Likes Likes

MingWang
L0 Member

‎02-24-2022 04:21 PM

I have the same issue too.

And I also want to know does there any update about SubDomins.

MBTNA
L1 Bithead

‎06-30-2022 02:45 AM

I have the same problem

0 Likes Likes

BigPalo
L4 Transporter
In response to MBTNA

‎07-14-2022 03:03 AM

any update? im the same

0 Likes Likes

AllwynMascarenhas
L1 Bithead

‎08-04-2022 11:22 PM

seems like everyones been waiting for long on this one, we got a similar customer request.. anyone checked this in v10?

0 Likes Likes

ElvisJan
L0 Member

‎03-26-2023 06:34 PM

Paloalto support portal mentioned the includeSubDomains directive is not relevant to GlobalProtect because it is not a hosted website whereby statically defined. No resolution, it is expected behavior. 
GlobalProtect HTTP header missing includeSubDomains in Strict-T... - Knowledge Base - Palo Alto Netw...

(1)
  • 12846 Views
  • 10 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks