JBoss EAP 7.3
We configured as below and we could see HSTS header was displayed in the Chrome dev tools
<filters>
<response-header name="hsts-header" header-name="Strict-Transport-Security" header-value="max-age=31536000;"/>
</filters>
But Nessus still detects the vulnerability HSTS missing (RFC 6797)
Is this is a bug of Nessus ? Because we tried Fortify WebInspect to scan and HSTS check passed. Or any configuration to modify standalone.xml for this ?
BTW, we disabled admin console (customer requirment) so there's nothing inside
Many thakns.
We found Red Hat document https://access.redhat.com/solutions/7018417 but this seems workable for admin console ONLY.