The remote HTTPS server does not send the HTTP Strict-Transport-Security. header

Hi,
Our Nessus scanner returned new vulnerabilities on port 8443 for lxd
Do you have guide to to enable the The remote HTTPS server does not send the HTTP - “Strict-Transport-Security” header.

on which file I need to add ? < Thanks >
Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload” env=HTTPS

My understanding of Strict-Transport-Security is that it indicates to web browsers that future connections to that domain should always be done over HTTPS.

However LXD can only listen on HTTPS on the network, so there is no option of using HTTP.

If you don’t need LXD listening on the network you can disable that unsetting core.https_address (although this is needed for a cluster).

I don’t suppose adding the header would be an issue, but as I understand it, wouldn’t improve security.

@stgraber what do you think?

1 Like

Hi Tomas,

Thank You for you answer,
Can you guide me how to disable the LXD in the core.htts_address ,Which parameter should I add.

lxc config unset core.https_address

1 Like

Yeah, HSTS when running on a non-standard HTTPS port and not offering an HTTP port seems completely pointless to me. I have no idea why Nessus would even flag this on 8443.