Tenable’s Description:
The remote HTTPS server is not enforcing HTTP Strict Transport Security (HSTS). HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.
My server has this setting in /etc/gitlab/gitlab.rb :
external_url 'https://<FQDN>/gitlab'
I also set
nginx['hsts_max_age'] = 63072000
nginx['hsts_include_subdomains'] = false
When I go to the web URL
https://<FQDN>
I get a 404, and the HSTS header is not included.
If I go to
https://<FQDN>/gitlab
I am redirected to
https://<FQDN>/gitlab/users/sign_in
and the HSTS header is included.
Because Nessus does not follow redirects, this test returns a failure.
Any suggestions how to get the HSTS header to show for the server root URL ?