https://community.dynatrace.com/t5/Troubleshooting/VA-scan-shows-HSTS-vulnerability-for-ActiveGate-Managed-or/ta-p/215617 <H2>Self Service Summary</H2> <P>&nbsp;</P> <P>Security Team is asking to "enable HSTS", is alerting that "HSTS is missing",&nbsp;<SPAN>"Strict Transport Security Not Enforced",</SPAN>&nbsp;or that the "Strict Transport Security header is not present in the response" for Dynatrace ActiveGate, Managed, RUM or OneAgent.</P> <P>&nbsp;</P> <TABLE> <THEAD> <TR> <TH>Issue</TH> <TH>Solution</TH> <TH>Tasks</TH> <TH>Alternative(s)</TH> </TR> </THEAD> <TBODY> <TR> <TD>Security concern regarding HSTS (HTTP Strict Transport Security) for ActiveGate, Managed or OneAgent</TD> <TD>Explain that HSTS is not applicable here - see below</TD> <TD>Check below information and explain it to your Security Team</TD> <TD>Submit a support ticket if you need additional details or you face a different scenario</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P><SPAN>First of all, a quick recap of what the HSTS (HTTP Strict Transport Security) header is all about (taken from the RFC&nbsp;</SPAN><A href="https://tools.ietf.org/html/rfc6797#section-2.2" target="_blank" rel="noopener noreferrer">https://tools.ietf.org/html/rfc6797#section-2.2</A><SPAN>&nbsp;or also explained on Wikipedia&nbsp;</SPAN><A href="https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security" target="_blank" rel="noopener noreferrer">https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security</A><SPAN>).</SPAN></P> <P><SPAN>If the HSTS header is set in an HTTPS response, the User Agent (= Browser) should from then on only use trusted HTTPS connections for all requests to the same host for the specified amount of time.</SPAN><BR /><SPAN>&nbsp;</SPAN><BR /><SPAN>We do not support enabling HSTS on Dynatrace Managed cluster nodes or on ActiveGates.</SPAN></P> <DIV class="zd-indent"> <P>HSTS is in general for public Internet servers, and in general, Dynatrace Managed cluster nodes are internal-only servers. User browsers should not be connecting directly to ActiveGates in most use cases, and certainly not as a primary connection.<BR />Note: To avoid showing up in security scans, Dynatrace adds HSTS for those ActiveGate endpoints: Environment API v1, Environment API v2, Configuration API, State API (/rest/state, /rest/health).</P> <P><SPAN>RUM: Since <A href="https://docs.dynatrace.com/docs/whats-new/activegate/sprint-303" target="_blank">ActiveGate v1.303</A>&nbsp;the HTTP response header </SPAN><CODE class="_ca0qyh40 _u5f3m5ip _n3tdyh40 _19bvm5ip _2rko1sit _11c81u0j _1reo1wug _18m91wug _1dqoglyw _1e0c1nu9 _bfhktkvp _16d9qvcn _syaz1fxt _vwz41kw7 _1i4q1hna _o5721jtm" data-renderer-mark="true">Strict-Transport-Security</CODE><SPAN> is added to all beacon requests. For HTTP beacon requests, the header is ignored see&nbsp;</SPAN><SPAN data-inline-card="true" data-card-url="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#description"><SPAN class="loader-wrapper"><A class="_1yt4x7n9 _2rkoiti9 _v56415x0 _1e0c1nu9 _16d9qvcn _syaz1y58 _1rkwglyw _4cvxmr28 _19ith6cr _bfhkhp5a _1a3b18uv _4fprglyw _5goinqa1 _9oik18uv _1bnxglyw _jf4cnqa1 _1nrm18uv _c2waglyw _1iohnqa1 _uizt1kdv _nt751r31 _49pcglyw _1hvw1o36 _1372tlke _7ehicw00 _1j5pglyw _1di629zg" tabindex="0" role="button" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Strict-Transport-Security#description" target="_self" data-testid="inline-card-resolved-view"><SPAN class="_19itglyw _vchhusvi _r06hglyw _o5721jtm _1nmz9jpi _16d9qvcn _ca0qv77o _u5f31b66 _n3tdv77o _19bv1b66" data-testid="inline-card-icon-and-title"><SPAN class="_19itglyw _vchhusvi _r06hglyw">Strict-Transport-Security - HTTP | MDN</SPAN></SPAN></A></SPAN></SPAN><SPAN>.</SPAN></P> <P><SPAN>As a last remark, the Dynatrace OneAgent is not aware of the HTTP server/app server configuration, so it doesn't know if HSTS is generally enabled or not. The Agent cannot know for sure, because this header could potentially also be added on another network device (reverse proxy, load balancer,...).</SPAN><BR /><SPAN>For this reason, OneAgent cannot add this header as it would tell the HTTP client to only send requests via HTTPS to this site from then on. This could potentially break the web application if it's not designed to serve all requests via HTTPS.</SPAN></P> </DIV> Mon, 26 May 2025 08:29:57 GMT stefanie_pachne 2025-05-26T08:29:57Z https://community.dynatrace.com/t5/Troubleshooting/VA-scan-shows-HSTS-vulnerability-for-ActiveGate-Managed-or/ta-p/215617 <H2>Self Service Summary</H2> <P>&nbsp;</P> <P>Security Team is asking to "enable HSTS", is alerting that "HSTS is missing",&nbsp;<SPAN>"Strict Transport Security Not Enforced",</SPAN>&nbsp;or that the "Strict Transport Security header is not present in the response" for Dynatrace ActiveGate, Managed, RUM or OneAgent.</P> <P>&nbsp;</P> <TABLE> <THEAD> <TR> <TH>Issue</TH> <TH>Solution</TH> <TH>Tasks</TH> <TH>Alternative(s)</TH> </TR> </THEAD> <TBODY> <TR> <TD>Security concern regarding HSTS (HTTP Strict Transport Security) for ActiveGate, Managed or OneAgent</TD> <TD>Explain that HSTS is not applicable here - see below</TD> <TD>Check below information and explain it to your Security Team</TD> <TD>Submit a support ticket if you need additional details or you face a different scenario</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P><SPAN>First of all, a quick recap of what the HSTS (HTTP Strict Transport Security) header is all about (taken from the RFC&nbsp;</SPAN><A href="https://tools.ietf.org/html/rfc6797#section-2.2" target="_blank" rel="noopener noreferrer">https://tools.ietf.org/html/rfc6797#section-2.2</A><SPAN>&nbsp;or also explained on Wikipedia&nbsp;</SPAN><A href="https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security" target="_blank" rel="noopener noreferrer">https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security</A><SPAN>).</SPAN></P> <P><SPAN>If the HSTS header is set in an HTTPS response, the User Agent (= Browser) should from then on only use trusted HTTPS connections for all requests to the same host for the specified amount of time.</SPAN><BR /><SPAN>&nbsp;</SPAN><BR /><SPAN>We do not support enabling HSTS on Dynatrace Managed cluster nodes or on ActiveGates.</SPAN></P> <DIV class="zd-indent"> <P>HSTS is in general for public Internet servers, and in general, Dynatrace Managed cluster nodes are internal-only servers. User browsers should not be connecting directly to ActiveGates in most use cases, and certainly not as a primary connection.<BR />Note: To avoid showing up in security scans, Dynatrace adds HSTS for those ActiveGate endpoints: Environment API v1, Environment API v2, Configuration API, State API (/rest/state, /rest/health).</P> <P><SPAN>RUM: Since <A href="https://docs.dynatrace.com/docs/whats-new/activegate/sprint-303" target="_blank">ActiveGate v1.303</A>&nbsp;the HTTP response header </SPAN><CODE class="_ca0qyh40 _u5f3m5ip _n3tdyh40 _19bvm5ip _2rko1sit _11c81u0j _1reo1wug _18m91wug _1dqoglyw _1e0c1nu9 _bfhktkvp _16d9qvcn _syaz1fxt _vwz41kw7 _1i4q1hna _o5721jtm" data-renderer-mark="true">Strict-Transport-Security</CODE><SPAN> is added to all beacon requests. For HTTP beacon requests, the header is ignored see&nbsp;</SPAN><SPAN data-inline-card="true" data-card-url="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#description"><SPAN class="loader-wrapper"><A class="_1yt4x7n9 _2rkoiti9 _v56415x0 _1e0c1nu9 _16d9qvcn _syaz1y58 _1rkwglyw _4cvxmr28 _19ith6cr _bfhkhp5a _1a3b18uv _4fprglyw _5goinqa1 _9oik18uv _1bnxglyw _jf4cnqa1 _1nrm18uv _c2waglyw _1iohnqa1 _uizt1kdv _nt751r31 _49pcglyw _1hvw1o36 _1372tlke _7ehicw00 _1j5pglyw _1di629zg" tabindex="0" role="button" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Strict-Transport-Security#description" target="_self" data-testid="inline-card-resolved-view"><SPAN class="_19itglyw _vchhusvi _r06hglyw _o5721jtm _1nmz9jpi _16d9qvcn _ca0qv77o _u5f31b66 _n3tdv77o _19bv1b66" data-testid="inline-card-icon-and-title"><SPAN class="_19itglyw _vchhusvi _r06hglyw">Strict-Transport-Security - HTTP | MDN</SPAN></SPAN></A></SPAN></SPAN><SPAN>.</SPAN></P> <P><SPAN>As a last remark, the Dynatrace OneAgent is not aware of the HTTP server/app server configuration, so it doesn't know if HSTS is generally enabled or not. The Agent cannot know for sure, because this header could potentially also be added on another network device (reverse proxy, load balancer,...).</SPAN><BR /><SPAN>For this reason, OneAgent cannot add this header as it would tell the HTTP client to only send requests via HTTPS to this site from then on. This could potentially break the web application if it's not designed to serve all requests via HTTPS.</SPAN></P> </DIV> Mon, 26 May 2025 08:29:57 GMT https://community.dynatrace.com/t5/Troubleshooting/VA-scan-shows-HSTS-vulnerability-for-ActiveGate-Managed-or/ta-p/215617 stefanie_pachne 2025-05-26T08:29:57Z https://community.dynatrace.com/t5/Troubleshooting/VA-scan-shows-HSTS-vulnerability-for-ActiveGate-Managed-or/tac-p/215719#M257 <P>Thank you&nbsp;<a href="https://community.dynatrace.com/t5/user/viewprofilepage/user-id/28409">@stefanie_pachne</a>&nbsp;for sharing this!&nbsp;</P> Wed, 21 Jun 2023 20:35:48 GMT https://community.dynatrace.com/t5/Troubleshooting/VA-scan-shows-HSTS-vulnerability-for-ActiveGate-Managed-or/tac-p/215719#M257 ChadTurner 2023-06-21T20:35:48Z https://community.dynatrace.com/t5/Troubleshooting/VA-scan-shows-HSTS-vulnerability-for-ActiveGate-Managed-or/tac-p/215726#M258 <P>Bookmarked, thanks for this.</P> Wed, 21 Jun 2023 21:19:28 GMT https://community.dynatrace.com/t5/Troubleshooting/VA-scan-shows-HSTS-vulnerability-for-ActiveGate-Managed-or/tac-p/215726#M258 DanielS 2023-06-21T21:19:28Z https://community.dynatrace.com/t5/Troubleshooting/VA-scan-shows-HSTS-vulnerability-for-ActiveGate-Managed-or/tac-p/215741#M259 <P>Thanks for sharing.&nbsp;</P> Thu, 22 Jun 2023 07:13:41 GMT https://community.dynatrace.com/t5/Troubleshooting/VA-scan-shows-HSTS-vulnerability-for-ActiveGate-Managed-or/tac-p/215741#M259 Romanenkov_Al3x 2023-06-22T07:13:41Z https://community.dynatrace.com/t5/Troubleshooting/VA-scan-shows-HSTS-vulnerability-for-ActiveGate-Managed-or/tac-p/256907#M735 <P>thanks for sharing,</P><P>for more clarification, is there is any way to&nbsp;<SPAN>enable HSTS for Dynatrace managed cluster?</SPAN></P> Tue, 24 Sep 2024 07:11:01 GMT https://community.dynatrace.com/t5/Troubleshooting/VA-scan-shows-HSTS-vulnerability-for-ActiveGate-Managed-or/tac-p/256907#M735 IslamEsmail 2024-09-24T07:11:01Z https://community.dynatrace.com/t5/Troubleshooting/VA-scan-shows-HSTS-vulnerability-for-ActiveGate-Managed-or/tac-p/256918#M736 <P><a href="https://community.dynatrace.com/t5/user/viewprofilepage/user-id/68530">@IslamEsmail</a></P> <P>We consider this a false positive alert because&nbsp;<SPAN>HSTS is in general for public Internet servers. Dynatrace Managed cluster nodes are considered internal-only servers.&nbsp;</SPAN>Thus, w<SPAN>e do not support enabling HSTS on Dynatrace Managed cluster nodes.</SPAN></P> <P>Does this help?</P> Tue, 24 Sep 2024 07:59:37 GMT https://community.dynatrace.com/t5/Troubleshooting/VA-scan-shows-HSTS-vulnerability-for-ActiveGate-Managed-or/tac-p/256918#M736 stefanie_pachne 2024-09-24T07:59:37Z https://community.dynatrace.com/t5/Troubleshooting/VA-scan-shows-HSTS-vulnerability-for-ActiveGate-Managed-or/tac-p/256921#M737 <P><a href="https://community.dynatrace.com/t5/user/viewprofilepage/user-id/28409">@stefanie_pachne</a>&nbsp;</P><P>Thanks for clarification , and yes for me its help, lets see how it goes with the security geeks</P> Tue, 24 Sep 2024 08:06:25 GMT https://community.dynatrace.com/t5/Troubleshooting/VA-scan-shows-HSTS-vulnerability-for-ActiveGate-Managed-or/tac-p/256921#M737 IslamEsmail 2024-09-24T08:06:25Z https://community.dynatrace.com/t5/Troubleshooting/VA-scan-shows-HSTS-vulnerability-for-ActiveGate-Managed-or/tac-p/276275#M901 <P><a href="https://community.dynatrace.com/t5/user/viewprofilepage/user-id/28409">@stefanie_pachne</a>: how about Cluster ActiveGates serving as the public endpoint? They receive mobile device traffic from the internet. If there is an upstream load balancer in front of them, then it is not a problem, if HSTS can not be enabled on those ActiveGates?</P> Wed, 30 Apr 2025 09:10:54 GMT https://community.dynatrace.com/t5/Troubleshooting/VA-scan-shows-HSTS-vulnerability-for-ActiveGate-Managed-or/tac-p/276275#M901 AndrasKovacs 2025-04-30T09:10:54Z https://community.dynatrace.com/t5/Troubleshooting/VA-scan-shows-HSTS-vulnerability-for-ActiveGate-Managed-or/tac-p/276960#M904 <P>In AG 1.303, HSTS has been enabled on the RUM endpoints.</P> Mon, 12 May 2025 15:49:43 GMT https://community.dynatrace.com/t5/Troubleshooting/VA-scan-shows-HSTS-vulnerability-for-ActiveGate-Managed-or/tac-p/276960#M904 Zbigniew_Wroble 2025-05-12T15:49:43Z