question

HrTJ-3428 avatar image
0 Votes"
HrTJ-3428 asked azure-cxp-api edited

Vulnerability scan shows "HSTS Missing From HTTPS Server" on some ports, despite HTTPS Only option.

Hello,

I have deployed a Web Application - based on a linux container.


I have purchased SSL certificate from Azure and added it successfully to the app. The SSL is properly reflecting on the website. I have also ticked the option to use "HTTPS Only".


However, whenever a VA is done, it reveals an error of Medium Risk "HSTS Missing From HTTPS Server". This is shown for a number of ports - 454, 455, 8010, 8015, and 8172

Could anyone please suggest what would be going wrong?


Thanks!

azure-webappsazure-webapps-ssl-certificatesazure-web-application-firewall
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

SnehaAgrawal-MSFT avatar image
0 Votes"
SnehaAgrawal-MSFT answered

Thanks for asking question! The other ports are not serving the customer site at all, they are just hosted on the same IP address (you can see that certificates returned for those are not even matching the site hostname in the first place) and are not destination for any browsers anyway.

To elaborate 454, 455 ports are used for internal communication in Azure Websites infrastructure and not something we disclose publicly. Port 8172 is the original WebDeploy port (used by publishing from Visual Studio, WebMatric, etc.) It requires auth and runs over HTTPS. Auth with site credentials is required to get through it. Not sure if the tool requires implicit encryption.

So, the scanner for the customer site should be scoped only to 80/443 as that is truly their site.

Please send an email to AzCommunity[at]Microsoft[dot]com if you have further question regarding this matter.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.