Showing results for 
Show  only  | Search instead for 
Did you mean: 
Dynatrace Organizer
Dynatrace Organizer

Self Service Summary


Security Team is asking to "enable HSTS" or is alerting that "HSTS is missing" or "Strict Transport Security Not Enforced" for Dynatarce ActiveGate or Managed or that the "Strict Transport Security header is not present in the response" for OneAgent.


Issue Solution Tasks Alternative(s)
Security concern regarding HSTS (HTTP Strict Transport Security) for ActiveGate, Managed or OneAgent Explain that HSTS is not applicable here - see below Check below information and explain it to your Security Team Submit a support ticket if you need additional details or you face a different scenario


First of all, a quick recap of what the HSTS (HTTP Strict Transport Security) header is all about (taken from the RFC or also explained on Wikipedia

If the HSTS header is set in an HTTPS response, the User Agent (= Browser) should from then on only use trusted HTTPS connections for all requests to the same host for the specified amount of time.
We do not support enabling HSTS on Dynatrace Managed cluster nodes or on ActiveGates.

HSTS is in general for public Internet servers, and in general, Dynatrace Managed cluster nodes are internal-only servers. User browsers should not be connecting directly to ActiveGates in most use cases, and certainly not as a primary connection.
Note: To avoid showing up in security scans, Dynatrace adds HSTS for those ActiveGate endpoints: Environment API v1, Environment API v2, Configuration API, State API (/rest/state, /rest/health).

As a last remark, the Dynatrace OneAgent is not aware of the HTTP server/app server configuration, so it doesn't know if HSTS is generally enabled or not. Actually, the Agent cannot know for sure, because this header could potentially also be added on another network device (reverse proxy, load balancer,...).
For this reason, OneAgent cannot add this header as it would tell the HTTP client to only send requests via HTTPS to this site from then on. This could potentially break the web application if it's not designed to serve all requests via HTTPS.

Version history
Last update:
‎02 Oct 2023 08:03 AM
Updated by:
DynaMight Legend
DynaMight Legend

Thank you @stefanie_pachne for sharing this! 

DynaMight Guru
DynaMight Guru

Bookmarked, thanks for this.

DynaMight Champion
DynaMight Champion

Thanks for sharing.