I’ve seen other related questions asked by the community but nothing recent.
We just recently migrated from Magento to Shopify and i’ve been trying to initiate the quarterly ASV scans on my new shopify store.
My ASV (Security Metrics) is failing on my new Shopify site on this port 8443/tcp for missing hsts.
We have enabled HSTS on our cloudflare, but a rescan produces the same error.
I have found in the community Shopify responses that this could be a false positive, but the last response was in January 2023.
I wanted to somehow verify that this error is still considered a false positive so I can report as such to Security Metrics. Other than references in the community support I’ve not found any documentation in Shopify to address this specific port and resultant scan FAIL as a false positive.
Shopify generally manages security headers, including HSTS, for its users. This is usually implemented on the standard HTTPS port (443/TCP), ensuring secure connections for all traffic coming to your store. If the ASV scan is specifically targeting port 8443, it’s important to note that this might not be a standard port used by Shopify for customer-facing traffic.
If Shopify confirms that this is a false positive, or if port 8443 is not used for customer-facing traffic, communicate this information to your ASV, Security Metrics. Provide them with the explanation and any supporting documentation from Shopify. ASVs are generally receptive to such explanations, especially when backed by information from the platform provider.
Have you reached out directly to Shopify support yet?