HTTP Strict Transport Security (HSTS) Policy Not Enabled smartpay.gsa

[JennaySDavis]

Report Name: Production - https://smartpay.gsa.gov/ - January 2024 https://drive.google.com/drive/folders/1BHO0cG7YaMluNvYFI2oJFtElKmlNIzjB

[JennaySDavis]

2/5/24: KL&A replied to this vulnerability listed in the January report, stating that this configuration is platform-dependent. https://cloud.gov/docs/compliance/domain-standards/cloud.gov ensures all applications are accessible only over HTTPS with HTTP Strict Transport Security (HSTS) headers with the HTTPS-Only Standard. Any HTTP requests are permanently redirected to HTTPS. You don’t have to take any action. KL&A is requesting this vulnerability be closed based on its being platform-dependent.

[JennaySDavis]

During a security meeting on June 9, 2024, it was confirmed that the URLs flagged were already loaded. (https://hstspreload.org/) Dan did an additional verification after the meeting and confirmed. Dan created a GSA generic request ticket for this false positive.

This issue has been resolved and is no longer listed on the June Vulnerability Scan.