Vulnerability - HSTS header does not contain includeSubDomains

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Vulnerability - HSTS header does not contain includeSubDomains

L3 Networker

This vulnerability is detected on global protect public ip.


HSTS header does not contain includeSubDomains

The HTTP Strict Transport Security (HSTS) header does not contain the includeSubDomains directive. This directive instructs the browser to also enforce the HSTS policy over subdomains of this domain.
Expected Headers > strict-transport-security: max-age=[anything]; includeSubDomains; ...
Actual max-age=31536000;


Panos version installled 9.1.7.


anyone aware about this vulnerability and resolution ?


L1 Bithead

Hi @Deepak25 


Am also facing the same issue, Did you find any resolution for the same.



L5 Sessionator

Currently, it's considered as designed since Strict-Transport-Security is only for the Global Protect server itself and we don't have control for the sub domains.
We have a feature request (FR 17182) for this. You may want to contact Palo Alto Networks sales department to add more weight.

Any update on the SubDomains, when it's planned for a release.

L1 Bithead

I got this below response from TAC for above vulnerability-


Apologies for delayed response.

We have checked internally and from the information we are not supporting HSTS for subdomain.

We would reach out to your account team to get the feature in Firewall for GP VPN.

As, we raised voting request with our internal team for your Feature request with FR ID: 6826.

L0 Member

Any update on the SubDomains?

L0 Member

I have the same issue too.

And I also want to know does there any update about SubDomins.

L1 Bithead

I have the same problem

any update? im the same

L1 Bithead

seems like everyones been waiting for long on this one, we got a similar customer request.. anyone checked this in v10?

L0 Member

Paloalto support portal mentioned the includeSubDomains directive is not relevant to GlobalProtect because it is not a hosted website whereby statically defined. No resolution, it is expected behavior. 
GlobalProtect HTTP header missing includeSubDomains in Strict-T... - Knowledge Base - Palo Alto Netw...

  • 10 replies
  • 63 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!