🐛 Summary
The automated PSHTT scanner used for BOD web compliance checks is showing a few domains as having "hsts" = "false" and "hsts_max_age" = -1, when they otherwise appear to have HSTS header with a valid age. While the automated checks used for the HTTPS report shows non-compliance, using the PSHTT scanner locally returns expected HSTS results for the same domain and shows compliance.
To reproduce
Steps to reproduce the behavior:
- Determine domain not returning expected HSTS results from the weekly results
- Review results for said domain within the HTTPS report and note non-compliance with HSTS checks
- Run PSHTT scans using Docker, "cisagov/domain-scan:latest --scan=pshtt"
- Note compliant HSTS headers on Docker scan vs. non-compliant HSTS headers on automated scan
Expected behavior
BOD reports to match what is detected via the manual "pshtt" checks.
🐛 Summary
The automated PSHTT scanner used for BOD web compliance checks is showing a few domains as having "hsts" = "false" and "hsts_max_age" = -1, when they otherwise appear to have HSTS header with a valid age. While the automated checks used for the HTTPS report shows non-compliance, using the PSHTT scanner locally returns expected HSTS results for the same domain and shows compliance.
To reproduce
Steps to reproduce the behavior:
Expected behavior
BOD reports to match what is detected via the manual "pshtt" checks.