FROM CACHE - en_header

PCI Scan Vulnerability - HSTS Missing From HTTPS Server (RFC 6797)

Solved
jaykappa
Tourist
6 0 3
‎09-01-2021 11:35 AM

Hi Community,

We ran a PCI scan and the store got the following failure, and would like help to input the correct response as Shopify is PCI compliant.

Web (2053/tcp)
HSTS Missing From HTTPS Server (RFC 6797)


Synopsis
The remote web server is not enforcing HSTS, as defined by RFC 6797.

Description
The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.

Output
The remote HTTPS server does not send the HTTP
"Strict-Transport-Security" header.

Screen Shot 2021-09-01 at 11.32.36 AM.png

 

Labels:
2,407 Views
Report
Accepted Solution (1)
PCI-Shawn
Shopify Staff (Retired)
Shopify Staff (Retired)
17 2 1
‎09-01-2021 03:18 PM

This is an accepted solution.

Hi  !

I have seen this before.  Some ASVs do things a little different.

The finding is:  the server on port 2053 is not enforcing HSTS.

Unfortunately, at this time, we can not control the content on port 2053.  This content is served by the Cloudflare CDN.

Good news is that all content on port 2053 (and a few other ports) is OUT OF SCOPE.  

The finding is on a port that is forward to a network outside of the scope of this test (Cloudflare CDN error message content).

That should give you enough info to report the finding as a false positive to the ASV Scanner.

Thanks,

Shawn.

Shawn | Social Care @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

View solution in original post

2,329 Views
0 Likes
Report
Reply 1 (1)
PCI-Shawn
Shopify Staff (Retired)
Shopify Staff (Retired)
17 2 1
‎09-01-2021 03:18 PM

This is an accepted solution.

Hi  !

I have seen this before.  Some ASVs do things a little different.

The finding is:  the server on port 2053 is not enforcing HSTS.

Unfortunately, at this time, we can not control the content on port 2053.  This content is served by the Cloudflare CDN.

Good news is that all content on port 2053 (and a few other ports) is OUT OF SCOPE.  

The finding is on a port that is forward to a network outside of the scope of this test (Cloudflare CDN error message content).

That should give you enough info to report the finding as a false positive to the ASV Scanner.

Thanks,

Shawn.

Shawn | Social Care @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

2,330 Views
0 Likes
Report

Community Blog Articles

31-54-5hg9c-2x272
Community Update! Threading Improvements

We're excited to announce improvements to the threaded messaging experience in our communi...

By TyW May 31, 2023
crowd-participating-at-event.jpg
We Answered Your Questions to Help You Get the Most Out of Your Shopify <> ...

Thank you to everyone who participated in our AMA with Klaviyo. It was great to see so man...

By Jacqui May 30, 2023
24-09-19241-65844.png
Introduction to Shopify Sales Channels

Photo by Marco Verch Sales channels on Shopify are various platforms where you can sell...

By Ollie May 25, 2023
Terms of Service Privacy Policy