While checking for strict (Strict Transport Security ) HSTS compliance, the scanner is rejecting the serverless azure function that I have deployed.
According to the scanner: “The HSTS Policy is communicated by the server to the user agent via a HTTP response header field named "Strict-Transport-Security". HSTS Policy specifies a period of time during which the user agent shall access the server in only secure fashion.”
And it provides an example
Also, in the implementation documentation, it says to add the above header to configure Strict Transport Security (HSTS)
Response.AddHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
Hence I added the above marked header to my azure function (also included the parameter for subdomains). I get the following headers for the endpoint,
The strict HSTS compliance is failing eventhough the security header is present for the function
While checking for strict (Strict Transport Security ) HSTS compliance, the scanner is rejecting the serverless azure function that I have deployed. According to the scanner: “The HSTS Policy is communicated by the server to the user agent via a HTTP response header field named "Strict-Transport-Security". HSTS Policy specifies a period of time during which the user agent shall access the server in only secure fashion.” And it provides an example
Also, in the implementation documentation, it says to add the above header to configure Strict Transport Security (HSTS) Response.AddHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
Hence I added the above marked header to my azure function (also included the parameter for subdomains). I get the following headers for the endpoint,![hsts](https://user-images.githubusercontent.com/11742991/46284081-2c11dd00-c594-11e8-84ca-db938ae06be4.png)
The strict HSTS compliance is failing eventhough the security header is present for the function