Is Via G&L vulnerable to the “Strict Transport security misconfiguration”
Originally Published: 2016-08-30
Article Number
Article Summary
HTTP Strict-Transport-Security header was not found in HTTP responses.
HTTP login is already disabled at customer site.
So Is the product vulnerable to Strict-Transport-security-misconfiguration?
Issue Background:
The HTTP Strict Transport Security policy defines a timeframe where a browser
must connect to the web server via HTTPS. Without a Strict Transport Security
policy the web application may be vulnerable against several attacks:
· If the web application mixes usage of HTTP and HTTPS, an attacker can
manipulate pages in the unsecured area of the application or change
redirection targets in a manner that the switch to the secured page is not
performed or done in a manner, that the attacker remains between client and
server.
· If there is no HTTP server, an attacker in the same network could simulate a
HTTP server and motivate the user to click on a prepared URL by a scoial
engineering attack.
The protection is effective only for the given amount of time. Multiple
occurrence of this header could cause undefined behaviour in browsers and
should be avoided.
Issue Detail:
There was no "Strict-Transport-Security" header in the server response.
Occurrences:
GET https://sbela00350.be.extranet/aveksa/attachment?token=t6df834f71539de95ba5
GET https://sbela00350.be.extranet/aveksa/custom.jsp?page=home.jsp
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Connector_
Configuration_Guide/wwhdata/common/alinks.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Connector_
Configuration_Guide/wwhdata/common/context.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Connector_
Configuration_Guide/wwhdata/common/files.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Connector_
Configuration_Guide/wwhdata/common/title.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Connector_
Configuration_Guide/wwhdata/js/toc.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Guide/wwhd
ata/common/alinks.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Guide/wwhd
ata/common/context.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Guide/wwhd
ata/common/files.js
GET https://sbela00350.be.extranet/aveksa/main
… and more (global issue)
Resolution
And in either of those scenarios there are much worse things someone could do than the attack here.
However, they are adding this header to help close that small window anyway, since there's no cost to them to doing so.
It will be in upcoming releases, and may be patched back into some existing codelines at the discretion of the Customer Success team.
It will be fixed in highland park (7.0.2)
Disclaimer
Related Articles
How to enable HTTP Strict Transport Security (HSTS) Header on Authentication Manager Prime Self-Service Portal Number of Views HSTS (Strict-Transport-Security) Header Explanation for RSA Authentication Manager 8.x Number of Views Administrative Roles for the Cloud Administration Console Number of Views How to verify TLS v.1.2 is configured correctly in RSA Authentication Manager 8.x Number of Views Checking name resolution and port connectivity for Web Tier instance on a supported Red Hat platform - RSA Authentication … Number of Views
Trending Articles
Troubleshooting RSA SecurID Access Identity Router to RSA Authentication Manager test connection failures RSA SecurID Software Token 5.0.2 Downloads for Microsoft Windows RSA Authentication Manager 8.9 Release Notes (January 2026) Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA Authentication Manager 8.8 Setup and Configuration Guide
Don't see what you're looking for?
