Implement HTTP Strict transport security header Portal

(0) Share

Report

Posted on by Pruss10

Hi Guys,

In one of the security scan reports, there are two vulnerability findings from the portal -

1. HTTP Strict Transport Security (HSTS) header is not configured (Remediation mentioned - It is recommended to implement HTTP Strict-Transport-Security response header which will let the web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP.)

2. Cache-Control Header not properly configured (Remediation mentioned - Set the Cache-control response header to "no-cache, no-store, expires 0" on all responses.)

Can you kindly let me know how to enable these settings in Power Portal. Attaching screenshots from browser Network tool for better reference.

@OOlashyn @ragavanrajan @OliverRodrigues

Categories:

Power Apps portals

HTTP Strict Trans...

CacheControl.JPG

I have the same question (0)

All responses (1)

Answers (0)

OOlashyn 3,496 Most Valuable Professional on at

Like (2)

Report
Hi @Pruss10,

Can you open a ticket with MS and share your findings from security scan report? I hope that will help MS to mitigate those issues from their end. Meanwhile, as a workaround you can use Head/Bottom content snippet that is added at the end of the head tag of all pages. You can set Cache-Control via meta tag (you should be able to do this with HSTS as well but I never tried it):

<meta http-equiv="Cache-control" content="no-cache">

Was this reply helpful? Yes No