anctop |
11-26-2014 01:16 AM |
HSTS header for mixed virtual hosts
Our server is configured with two IP addresses (say ip1 and ip2) and running Apache httpd 2.4. The web server is configured for multiple virtual hosts :
Code:
Listen ip1:80
Listen ip1:443
Listen ip2:443
....
<VirtualHost ip1:80> # Site1
ServerName http://host1.domain.com
DocumentRoot "/www1/doc"
....
</VirtualHost>
<VirtualHost ip1:443> # Site1s
ServerName https://host1.domain.com
DocumentRoot "/www1/php"
....
</VirtualHost>
<VirtualHost ip2:443> # Site2s
ServerName https://host2.domain.com
DocumentRoot "/www2/php"
....
</VirtualHost>
The host "Site1" serves ordinary html pages, "Site1s" and "Site2s" are web applications written in PHP. When I perform security assessment on "https://host1.domain.com" using Arachni scanner, the result contains a warning of "Missing Strict-Transport-Security header".
Following the instruction, the line "Header always set Strict-Transport-Security max-age=31536000" is added to the definitions of "Site1s" and "Site2s", then re-run the scanner, but the result still has the STS warning.
I suspect that the warning is due to the co-existence of "Site1" and "Site1s".
Is there any workaround for the case ?
|