Our server is configured with two IP addresses (say
ip1 and
ip2) and running Apache httpd 2.4. The web server is configured for multiple virtual hosts :
Code:
Listen ip1:80
Listen ip1:443
Listen ip2:443
....
<VirtualHost ip1:80> # Site1
ServerName http://host1.domain.com
DocumentRoot "/www1/doc"
....
</VirtualHost>
<VirtualHost ip1:443> # Site1s
ServerName https://host1.domain.com
DocumentRoot "/www1/php"
....
</VirtualHost>
<VirtualHost ip2:443> # Site2s
ServerName https://host2.domain.com
DocumentRoot "/www2/php"
....
</VirtualHost>
The host "Site1" serves ordinary html pages, "Site1s" and "Site2s" are web applications written in PHP. When I perform security assessment on "https://host1.domain.com" using Arachni scanner, the result contains a warning of "Missing Strict-Transport-Security header".
Following the instruction, the line "Header always set Strict-Transport-Security max-age=31536000" is added to the definitions of "Site1s" and "Site2s", then re-run the scanner, but the result still has the STS warning.
I suspect that the warning is due to the co-existence of "Site1" and "Site1s".
Is there any workaround for the case ?