AnsweredAssumed Answered

HTTP Security header not detected: Port 80 Returning 300 status

Question asked by John Soares on Jun 26, 2017
Latest reply on Jun 27, 2017 by John Soares

Could you explain why these headers would be required for automatically generated redirects from Load balancers returning alternate status codes? Our findings are appearing only on port 80 for systems generating return Status Codes in the 300 Redirect range. Example 302s. In this case, the header is not protecting anything with the retransmission that isn't being covered already by 443 listening application. These appear to be a false positive. If so, could Qualys update the scan to take redirect status codes into consideration before declaring the finding.

Outcomes