Main issue: A PCI compliance scan flagged “HSTS Missing From HTTPS Server” on an HTTPS endpoint. HSTS (HTTP Strict Transport Security) forces browsers to use HTTPS and is commonly required for public, payment-related services.
Required clarification: The scanner requests proof that the affected port is not used for credit card processing and is not publicly accessible. If confirmed, HSTS may not be necessary for that port.
Requests: Guidance on how to obtain or provide this confirmation. A formal statement from Shopify is sought to address the scanner’s requirement.
Attachment: A screenshot of the PCI scan result appears central to the report.
Status: No resolution yet. Open questions include what documentation satisfies the PCI scanner and whether Shopify can issue an official statement verifying the port’s non-public, non-payment role.
After a PCI scan, a failure emerged that requires additional information. This information would confirm that port usage doesn’t encompass credit card processing and isn’t intended for public use, thus negating the need for HSTS headers.
Any suggestions on how to acquire this information? Can Shopify supply a statement to address this?
