Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURITY] HSTS not enabled #5897

Open
grexx opened this issue Aug 23, 2023 · 2 comments
Open

[SECURITY] HSTS not enabled #5897

grexx opened this issue Aug 23, 2023 · 2 comments
Labels
bug Something isn't working Internal-Issue-Created An issue has been created in NextGen's internal issue tracker RS-11140 Security triaged

Comments

@grexx
Copy link

grexx commented Aug 23, 2023

HSTS option seems not enabled event when the parameter is set to true in the mirth properties file :

http.stricttransportsecurity true
  • OS: Windows2016
  • Java Distribution/Version : Java8
  • Connect Version : 4.3

curl -sSI -v https://mirth-server:8443

does not return Strict-Transport-Security: max-age=63072000; includeSubDomains in the header

HTTP/1.1 200 OK
Date: Wed, 23 Aug 2023 11:53:11 GMT
Last-Modified: Thu, 09 Mar 2023 20:32:30 GMT
Content-Type: text/html
Accept-Ranges: bytes
Content-Length: 2513

the certificate is valid into our organization.

and our security scanner tells

  tcp/8443 142960 Web Servers HSTS Missing From HTTPS Server (RFC 6797) The remote web server is not enforcing HSTS, as defined by RFC 6797.
tcp/8443 [142960](https://www.tenable.com/plugins/nessus/142960) Web Servers HSTS Missing From HTTPS Server (RFC 6797) The remote web server is not enforcing HSTS, as defined by RFC 6797.
@grexx grexx added the Security label Aug 23, 2023
@pladesma pladesma added RS-11140 triaged Internal-Issue-Created An issue has been created in NextGen's internal issue tracker bug Something isn't working labels Aug 23, 2023
@pladesma
Copy link
Collaborator

It appears that the HSTS header is correctly added to the API endpoints (e.g. /api/channels or /api/system/stats), but it missing from the base URL as you've pointed out. We'll look into this issue.

@pladesma
Copy link
Collaborator

Also, as a workaround, you can disable plain HTTP traffic altogether by removing or commenting out the http.port property in your mirth.properties file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working Internal-Issue-Created An issue has been created in NextGen's internal issue tracker RS-11140 Security triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@grexx @pladesma