This article explains the HSTS header and how to troubleshoot HSTS cases and explains that a Scan could find no HSTS if the Help on a Security Console of Self-Service console page is accessed. The static help pages do not have HSTS enabled, but neither can they be changed, they accept no input or post commands.
In your browser, point to any RSA Authentication Manager Security console or Self-Service Console page, and right-click to "inspect". Select Network. then look at Header Response. See details in Resolution.
What is HSTS?
It is a Strict-Transport-Security header which is received in the first response from the Web-server and it is managed by the browser. Once it is received the browser will always use HTTPS for this specific domain for a certain amount of seconds, known as max-age which will be set in the header itself as highlighted below:
The includeSubDomains field is used to force the HTTP traffic to any of the subdomains to get redirected to HTTPS instead.
How can we delete the HSTS settings?
Navigate to chrome://net-internals/#hsts. This is Chrome’s UI for managing your browser’s local HSTS settings.
First confirm the domain’s HSTS settings are recorded by Chrome by typing the hostname into the Query HSTS/PKP domain section at the bottom of the page.
Click Query. If the query box returns Found with settings information below, the domain’s HSTS settings are saved in your browser. Note that this is a very sensitive search. Only enter the hostname, such as www.example.com or example.com without a protocol or path.
Type the same hostname into the Delete domain security policies section and click Delete, Your browser will no longer force an HTTPS connection for that site!
What is HSTS Preloading?
There is still a window where a user who has a fresh install, or who wipes out their local state, is vulnerable. Because of that, Chrome maintains an HSTS Preload List (and other browsers maintain lists based on the Chrome list). These domains will be configured with HSTS out of the box.
If, for example, the customer owns a site or has a Self-Service Console that they would like to see included in the preloaded HSTS list you can submit the request to HSTS Preload. The header should look like the example below:
RSA Support has heard of a Scan finding a console help page that did not have HSTS set, which is why you should ask about specific URL details from any Scan finding. RSA Engineering's response here is that this is not exploitable and has no inherent risk because;
Authentication Manager has already sent the browser the HSTS setting for 2 years, so the browser should honor that setting, and
These help pages are static with no option to do anything involving an upload or post.