-
- Lurker
- Posts: 2
- Liked: never
- Joined: May 21, 2023 5:48 pm
- Full Name: Danny Ben
- Contact:
Veeam 12 HSTS Missing From HTTPS Server port 6172
Hi,
I'm testing now Veeam Backup & Replication 12 , Build 12.0.0.1420 P20230412 on Windows 2019. part of my security task , I ran the Tenable scanner and received the vulnerability issue on port 6172. any idea how to enforcing HSTS on port 6172.
From Tenable
Description
The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.
Output from most recent scan
The remote HTTPS server does not send the HTTP
"Strict-Transport-Security" header.
Solution
Configure the remote web server to use HSTS.
I'm testing now Veeam Backup & Replication 12 , Build 12.0.0.1420 P20230412 on Windows 2019. part of my security task , I ran the Tenable scanner and received the vulnerability issue on port 6172. any idea how to enforcing HSTS on port 6172.
From Tenable
Description
The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.
Output from most recent scan
The remote HTTPS server does not send the HTTP
"Strict-Transport-Security" header.
Solution
Configure the remote web server to use HSTS.
-
- Product Manager
- Posts: 14968
- Liked: 3159 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Veeam 12 HSTS Missing From HTTPS Server port 6172
Hello,
and welcome to the forums.
Well, there is no web server running on that port... so that setting does not exist. It's a Veeam proprietary protocol that is using certificates for internal authentication. I guess Tenable should update their signatures
Best regards,
Hannes
and welcome to the forums.
Well, there is no web server running on that port... so that setting does not exist. It's a Veeam proprietary protocol that is using certificates for internal authentication. I guess Tenable should update their signatures

Best regards,
Hannes
-
- Lurker
- Posts: 2
- Liked: never
- Joined: May 21, 2023 5:48 pm
- Full Name: Danny Ben
- Contact:
Re: Veeam 12 HSTS Missing From HTTPS Server port 6172
Hi HannesK , Thank You for your reply , I will submit ticket and keep you update.
-
- Influencer
- Posts: 14
- Liked: never
- Joined: Jul 31, 2023 7:47 am
- Full Name: Carl
- Contact:
Re: Veeam 12 HSTS Missing From HTTPS Server port 6172
Do you fix the problem?dannyb1971 wrote: ↑May 21, 2023 5:59 pm Hi,
I'm testing now Veeam Backup & Replication 12 , Build 12.0.0.1420 P20230412 on Windows 2019. part of my security task , I ran the Tenable scanner and received the vulnerability issue on port 6172. any idea how to enforcing HSTS on port 6172.
From Tenable
Description
The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.
Output from most recent scan
The remote HTTPS server does not send the HTTP
"Strict-Transport-Security" header.
Solution
Configure the remote web server to use HSTS.
-
- Lurker
- Posts: 1
- Liked: never
- Joined: Oct 03, 2024 2:22 pm
- Full Name: M Rivera
- Contact:
Re: Veeam 12 HSTS Missing From HTTPS Server port 6172
Hello. Our team was also seeing a similar HSTS vuln detection from our Tenable scanning platform with Veeam, however on port 9419 (Veeam REST Api service). Can anyone please confirm if this is a valid vulnerability detection or instance of Tenable FP (like port 6172)?
Tenable Scan Outputs:
HSTS Missing From HTTPS Server (RFC 6797)
The remote web server is not enforcing HSTS, as defined by RFC 6797.
"
HTTP/1.1 404 Not Found
Content-Length: 0
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 03 Oct 2024 00:46:22 GMT
Connection: close
The remote HTTPS server does not send the HTTP
""Strict-Transport-Security"" header.
"
Configure the remote web server to use HSTS.
Tenable Scan Outputs:
HSTS Missing From HTTPS Server (RFC 6797)
The remote web server is not enforcing HSTS, as defined by RFC 6797.
"
HTTP/1.1 404 Not Found
Content-Length: 0
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 03 Oct 2024 00:46:22 GMT
Connection: close
The remote HTTPS server does not send the HTTP
""Strict-Transport-Security"" header.
"
Configure the remote web server to use HSTS.
-
- Veeam Software
- Posts: 2346
- Liked: 556 times
- Joined: Jun 28, 2016 12:12 pm
- Contact:
Re: Veeam 12 HSTS Missing From HTTPS Server port 6172
Hi mriv21B, welcome to the forums.
Please see the answer from HannesK; 9419 is the port for the API as you mentioned, and HSTS is for users using the browser, not for APIs. The Veeam API(s) utilize authentication over HTTPS and HTTP is not allowed, so it's secure by design.
Likely it's a false positive as above.
Please see the answer from HannesK; 9419 is the port for the API as you mentioned, and HSTS is for users using the browser, not for APIs. The Veeam API(s) utilize authentication over HTTPS and HTTP is not allowed, so it's secure by design.
Likely it's a false positive as above.
David Domask | Product Management: Principal Analyst
Who is online
Users browsing this forum: Semrush [Bot] and 35 guests