In This Article
- HTTP Strict Transport Security Background
- Why Alert Logic Fails PCI Scans on HSTS
- How to Dispute an HSTS-Failed PCI Scan
Alert Logic® PCI scans may fail on "HTTP Strict Transport Security Missing". This article can help you understand why your scan is failing and how you can dispute it.
The HTTP Strict Transport Security (HSTS) standard was introduced in 2012 and has become best practice within the industry. HSTS protects against:
- SSL Stripping in man-in-the-middle attacks
- Misconfigured web servers that inadvertently allow sensitive traffic on HTTP
- User overrides of invalid certificates, typically introduced by man-in-the-middle attacks
- Browsers that miss an HTTP to HTTPS redirect, typically due to bookmark or deep link
HSTS is relevant on both HTTP and HTTPS for servers that handle sensitive information, and Alert Logic checks all HTTPS connections for HSTS.
HSTS is rated as a "PCI Fail" based on either of the following two requirements:
- Secure web server configuration requirement
"The ASV scanning solution must be able to test for all known vulnerabilities and configuration issues on web servers" (PCI Data Security Standard Approved Scanning Vendors v2.0, pg 18).
"The ASV scan solution must be able to detect via automated or manual means current vulnerabilities and configuration issues (for example, OWASP Top 10, SANS CWE Top 25, etc.)" (PCI Data Security Standard Approved Scanning Vendor v3.0, pg 25).
HSTS violates the web server misconfigurations requirement due to OWASP Top 10 A6-Sensitive-Data-Exposure sub-requirements 5, which reads "Are any browser security directives or headers missing when sensitive data is provided by/sent to the customer?"
- Common Vulnerability Scoring System (CVSS) base score of 4.0 or higher requirement
"To assist customers in providing the solution or mitigating identified issues, ASV must assign a severity level to each identified vulnerability or misconfiguration ... whenever possible. ASVs must use ... CVSS version 2.0 ... Any vulnerability with a CVSS score of 4.0 or higher will result in a non-compliant scan, and all such vulnerabilities must be remediated by the scan customer" (PCI Data Security Standard Approved Scanning Vendor v2.0, pg 22 & v3.0, pg 30).
HSTS rates as 4.8 on CVSS base score, and thus violates the requirement that the CVSS base score stay under 4.0 in order to pass. Additionally, there are exploits in the wild.
For a PCI dispute to be approved for the "HSTS Missing" scan failure, the customer must substantiate one of four things:
- None of the four listed threats apply to the specific server.
- You have one or more compensating controls, which together go "above and beyond" the protection that HSTS provides.
- You are using an older Cisco AnyConnet VPN, which:
- Does not support HSTS on its VPN port
- Is running a supported version of Cisco OIS
- On which you have enabled Cisco Strict Certificate Trust
- You are using Amazon Web Servers S3 delivered via CloudFront where:
- Only HTTPS is allowed
- CloudFront layer is enforcing HTTP to HTTPS redirects
- S3 permissions deny access via HTTPS to S3 files