In Discovery, we updated the rating system for Strict-Transport-Security (STS) security headers. Now, we only check STS for HTTP 200 requests and ignore it for HTTP 301 requests. We only penalize the server when the website is missing the Strict-Transport-Security (STS) security header or the setting is wrong. In these cases, we rate the server as "At risk".
Previously, we checked STS for HTTP 301 requests and penalized the server if it was missing the Strict-Transport-Security (STS) security header. In these cases, we rated the server as "Not secure".
To view Security headers results, go to the endpoint's Server details page. In the sidebar menu, click Discovery > View Results. On the Certificates page, click View endpoints. On the Endpoints page, click the endpoint's IP address / FQDN link.
Update note: The updated STS rating system is available in the latest sensor version – 3.7.7. After sensor update is complete, rerun your scans to see your updated STS ratings.