[Nessus Finding] HSTS Missing from HTTPS Server - DUE MAY

[kell-y]

The Feb 2024 Nessus Scan revealed a new medium vulnerability finding on 2/2/24:

HSTS Missing from HTTPS Server, host 10.247.33.45

Nessus Solution: Configure the remote web server to use HSTS

[ph-One]

Keep in mind that IP addresses mean nothing in our environment. We can dig through CloudTrail and see what instance(s) may have used this IP during this time period, but it's largely a shot in the dark.

[gary-fallon]

https://github.com/department-of-veterans-affairs/va.gov-team-sensitive/issues/440

[ph-One]

Initially I thought this may be from the revproxy, but they are all configured for HSTS. Looking elsewhere.

[ph-One]

Forward Proxy also has HSTS enabled. Looking elsewhere.

[kell-y]

Update on 6/24/2024: Infra did a little looking, and a decision was made to wait for the next scan (to be done some time in July) to see if this still appears. Othrwise, Infrastructure has been unable to locate an individual virtual machine based on just an IP address as a data point.

[keithdadkins]

I'm working on setting up a box to perform internal scans and some scripts to help map services to IP addresses. I'll perform a manual scan initially, but intend to build automation we can use if something like this pops up again. I suggest closing this ticket and creating a new one to scan for security headers.

[kell-y]

I think we'll need to keep this ticket to track the finding until it's closed or remediated, but go ahead and open a new one for the work you suggested!