How to modify standalone.xml directly for Nessus detects HSTS vulnerability ?

67 views
Skip to first unread message

Eric Lee

unread,
Mar 6, 2024, 11:27:05 PM3/6/24
to WildFly

JBoss EAP 7.3

We've HSTS configuation in standalone.xml such as below and it passed in the Fortify SCA
<filters> <response-header name="hsts-header" header-name="Strict-Transport-Security" header-value="max-age=31536000;"/> </filters>
but Nessus security scanner still detects HSTS missing...
Any suggestion ?

BTW,  for customer requirment, we disabled  
JBoss welcome page
Admin console (so we removed anything inside <management-interfaces>)

Many thanks.

Bartosz Baranowski

unread,
Mar 7, 2024, 9:32:40 AM3/7/24
to WildFly
All inquires regarding EAP are handled via customer portal: https://access.redhat.com/

Eric Lee

unread,
Mar 7, 2024, 11:26:17 AM3/7/24
to WildFly
We found an document from  https://access.redhat.com/solutions/7018417
And that soluction seems workable for admin console.

We already set Strict-Transport-Security header filter to the Undertow subsystem and we can see that header in response,
but Nessus scanner still detects RFC 6797.


Bartosz Baranowski 在 2024年3月7日 星期四晚上10:32:40 [UTC+8] 的信中寫道:
Reply all
Reply to author
Forward
0 new messages