pawankukreja01
commented
1 year ago you are encountering an issue with your Nessus Scan, which is reporting that your EPR hosting on Podman is missing the HTTP Strict Transport Security (HSTS) header. HSTS is a widely supported standard that helps protect website visitors by ensuring that their browser always connects using an HTTPS connection To enable HSTS on your EPR server, you need to add the following configuration to your server’s Apache configuration file:
header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
This configuration sets the HSTS header with a max-age of 31536000 seconds, which means that the browser should remember that the site can be accessed only using HTTPS for one year . The includeSubDomains directive ensures that all subdomains of your site are also protected by HSTS, while the preload directive adds your site to the HSTS preload list maintained by Google Chrome and other browsers.
Since you are using Podman instead of Apache, you may need to modify this configuration to work with your specific setup
Kurotamashi941
Hi, I encountered a Nessus Scan issue stating HSTS Missing From HTTPS Server (RFC 6797) from EPR hosting on Podman. Podman Version: 4.20 EPR Version: 8.6.1 RHEL Version: 9.1
Is there anyway i can set the following configuration : header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" to the EPR? This Configuration work for my HTTPS Apache Server.