This vulnerability is detected on global protect public ip.
HSTS header does not contain includeSubDomains
The HTTP Strict Transport Security (HSTS) header does not contain the includeSubDomains directive. This directive instructs the browser to also enforce the HSTS policy over subdomains of this domain.
Expected Headers > strict-transport-security: max-age=[anything]; includeSubDomains; ...
Panos version installled 9.1.7.
anyone aware about this vulnerability and resolution ?
Currently, it's considered as designed since Strict-Transport-Security is only for the Global Protect server itself and we don't have control for the sub domains.
We have a feature request (FR 17182) for this. You may want to contact Palo Alto Networks sales department to add more weight.
I got this below response from TAC for above vulnerability-
Apologies for delayed response.
We have checked internally and from the information we are not supporting HSTS for subdomain.
We would reach out to your account team to get the feature in Firewall for GP VPN.
As, we raised voting request with our internal team for your Feature request with FR ID: 6826.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!