strict HTTPS

failingUser · Post by **failingUser** » May 31, 2023 9:26 pm this post

Our Nessus vulnerability scanner is detecting the following error on our Veeam servers:
HSTS Missing From HTTPS Server (RFC 6797)
The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.

There is nothing else installed on the two Veeam servers (IIS is not even installed), so Veeam (or a Veeam plugin) must be the culprit.
Looks to be on ports 20443 and 33034.
Tech support (Case # 05945627) was unable to assist and advised I post here for a possible resolution.

Post by **Gostev** » May 31, 2023 10:38 pm this post

Apologies for invalid instructions from your support engineer. When unable to assist, support engineers are supposed to escalate to a higher support tier, instead of telling a customer to post about the issue on these forums (as these are NOT support forums). I've notified the support management of your support case.

Post by **Gostev** » Jun 01, 2023 7:36 am this post

They reviewed the case and it appears your support engineer never suggested that you post the issue here. Please, follow his instructions carefully to have the issue reviewed by security analysts.

tomkoder · Post by **tomkoder** » Jul 13, 2023 10:40 am this post

failingUser wrote: ↑May 31, 2023 9:26 pm Our Nessus vulnerability scanner is detecting the following error on our Veeam servers:
HSTS Missing From HTTPS Server (RFC 6797)
The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.

Hi failingUser,
Did you manage to resolve the problem?
I have the same issue on port 33034
If you have it solved could you post the solution here or DM me? Thanks

carl.20150508 · Post by **carl.20150508** » Nov 01, 2023 3:52 am this post

failingUser wrote: ↑May 31, 2023 9:26 pm Our Nessus vulnerability scanner is detecting the following error on our Veeam servers:
HSTS Missing From HTTPS Server (RFC 6797)
The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.

There is nothing else installed on the two Veeam servers (IIS is not even installed), so Veeam (or a Veeam plugin) must be the culprit.
Looks to be on ports 20443 and 33034.
Tech support (Case # 05945627) was unable to assist and advised I post here for a possible resolution.

I have same problem. Would you please let me know how to fix it?

Many thanks.

carl.20150508 · Post by **carl.20150508** » Nov 03, 2023 2:09 am this post

Gostev wrote: ↑May 31, 2023 10:38 pm Apologies for invalid instructions from your support engineer. When unable to assist, support engineers are supposed to escalate to a higher support tier, instead of telling a customer to post about the issue on these forums (as these are NOT support forums). I've notified the support management of your support case.

Unfortunately, I have logged a call to support but the support replied the following. Anyway, I have submitted the report to https://www.veeam.com/vulnerability-disclosure.html

Unfortunately, APAC support team does not handle vulnerability issues and the issue regarding vulnerability is handled by dedicated team. In order to reach out to that team, Customers need to fill in the report below and the dedicated team will reply back via email.

R&D Forums

strict HTTPS

Re: strict HTTPS

Re: strict HTTPS

Re: strict HTTPS

Re: strict HTTPS

Re: strict HTTPS

Who is online