This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

HSTS (Strict-Transport-Security) Header Explanation for RSA Authentication Manager 8.x

Article Number

000063806

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x

Issue

This article explains the HSTS header and how to troubleshoot HSTS cases and explains that a scan could find no HSTS if the Help on a Security Console of Self-Service Console page is accessed. The static help pages do not have HSTS enabled, but neither can they be changed, they accept no input or post commands.

RSA has enabled HSTS on our console pages since Authentication Manager 8.2 patch 6.  We no longer allow the initial redirect from http to https. For example, http://am82p.vcloud.local:7004/console-ims used to work, in that it redirected tohttps://am82p.vcloud.local:7004/console-ims, but that is no longer true. For example,

http://am82p.vcloud.local:7004/    -    ERR_EMPTY_RESPONSE

http://am82p.vcloud.local:7004/console-ims  -    ERR_EMPTY_RESPONSE

Image descriptionImage description
Port 7002 for Authentication Manager replication behaves the same way because it does not process any http or https, only internal Authentication Manager processes communicate over the 7002 port.
http://am82p.vcloud.local:7002/  -    ERR_EMPTY_RESPONSE

While default port 7004 has no http or https pages on them.
https://am82p.vcloud.local:7004/   -    Error 404--Not Found

Task

In your browser, point to any RSA Authentication Manager Security Console or Self-Service Console page, and right-click to chose Inspect.  Select Network. then look at the Header Response. See details in Resolution.

Resolution

What is HTTP Strict Transport Security (HSTS)?

HSTS stands for HTTP Strict Transport Security. Websites use HSTS to  It is a method used by websites to say that they should only be accessed using a secure connection, that is, HTTPS. For websites that invoke an HSTS policy, the browser must refuse all HTTP connections and prevent users from accepting insecure SSL certificates. HSTS is currently supported by most major browsers (only some mobile browsers fail to use it).

The HSTS header is received in the first response from the web server and it is managed by the browser.  Once it is received, the browser will always use HTTPS for this specific domain for a certain amount of seconds, known as max-age, which will be set in the header itself as highlighted below:
Image descriptionImage description
 

Detailed information on HSTS

For a more detailed explanation, please review HTTP Strict Transport Security (HSTS)  for RSA Authentication Manager 8.x.

Reasons for HSTS false positive results

When a vulnerability scanner reports a finding of No HTTP Strict Transport Security (HSTS) headers, it is important to note the details, because there could be several reasons for this finding based on the URL reported. For example, 

Checking for HSTS

One example of checking for HSTS yourself is to go to the Authentication Manager Security Console (e. g., https://am83p.vcloud.local:7004/console-ims). It redirects to
https://am83p.vcloud.local:7004/console-ims/Index.jsp.

In Chrome, you can verify that  HSTS is set by following the steps below:
  1. Login to your primary Authentication Manager Security Console (https://<AM_server_FQDN>:7004/console-ims).
  2. Press [F12] to open browser developer tools.
  3. Press [F5] to refresh your page.
  4. Go to the Network tab.
  5. Go to the Headers tab.
  6. In your browser, go to  https://<AM_server_FQDN>:7004/console-ims/index.jsp. If you don't see https://<AM_server_FQDN>:7004/console-ims/index.jsp, look for https://<AM_server_FQDN>:7004/console-ims/TokenError.jsp in the Header list.
  7. Scroll down to Response Headers section. Here you will see the strict-transport-security setting.
Image descriptionImage description

If your scan finds that HSTS is missing, copy and paste the URL from the scan finding into your browser, to see if it is valid. Internal ports for services such as replication do not have web pages associated, therefore cannot be exploited by HTTP attacks. These pages will show either an invalid request message or an HTTP error, such as 400 or 404.
 
Image descriptionImage description

If your scanner finds a help page with a URL that contains /console-infocenter/ without HSTS, the response from RSA Engineering is that help pages are static and cannot be changed; therefore, they are not vulnerable to any HTTP exploit from which HSTS would protect.
Image descriptionImage description

The includeSubDomains field is used to force the HTTP traffic to any of the subdomains to get redirected to HTTPS instead.


How can we delete the HSTS settings?

  1. Navigate to chrome://net-internals/#hsts. This is Chrome’s UI for managing your browser’s local HSTS settings.
  2. First confirm the domain’s HSTS settings are recorded by Chrome by typing the hostname into the Query HSTS/PKP domain section at the bottom of the page.
  3. Click Query. If the query box returns Found with settings information below, the domain’s HSTS settings are saved in your browser. Note that this is a very sensitive search. Only enter the hostname, such as www.example.com or example.com without a protocol or path.
  4. Type the same hostname into the Delete domain security policies section and click Delete, Your browser will no longer force an HTTPS connection for that site!


What is HSTS Preloading?

There is still a window where a user who has a fresh install, or who wipes out their local state, is vulnerable. Because of that, Chrome maintains an HSTS Preload List (and other browsers maintain lists based on the Chrome list). These domains will be configured with HSTS out of the box. 

If, for example, the customer owns a site or has a Self-Service Console that they would like to see included in the preloaded HSTS list you can submit the request to HSTS Preload.  The header should look like the example below:

Image descriptionImage description

Notes

RSA Support is aware of a vulnerability scan identifying a console help page that did not have HSTS set, which is why you should ask about specific URL details from any scan finding. RSA Engineering's response here is that this is not exploitable and has no inherent risk because;

  1. Authentication Manager has already sent the browser the HSTS setting for two years, so the browser should honor that setting, and
  2. These help pages are static with no option to do anything involving an upload or post.
If you Security Team does not accept these responses from RSA Engineering that HTTP error pages do not need HSTS enabled, please contact RSA Support and ask about the instructions on how to add HSTS headers to all Authentication Manager service responses, even for invalid URLs which return error such as 404. This manual configuration will eventually be added to Authentication Manager patches, but no timeline has been set.

Note: You can add HSTS to the *wrapper files associated to the Authentication Manager services such as admin services, biztier and console services. Please contact RSA Support for more information. Engineering is considering adding these in a future patch.
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
Monday
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.