Problem description
A scan of an OSS domain name used for storage detects the following security vulnerabilities: Insecure Transportation Security Protocol Supported (TLS 1.0), HTTP Strict Transport Security (HSTS) Policy Not Enabled, TLS/SSL Weak Cipher Suites, and Vulnerable JavaScript libraries.
Causes
Insecure Transportation Security Protocol Supported (TLS 1.0): The insecure transport protocol TLS 1.0 is enabled in the configuration.HTTP Strict Transport Security (HSTS) Policy Not Enabled: The HTTP Strict Transport Security (HSTS) policy is disabled.TLS/SSL Weak Cipher Suites: The configuration allows the use of weak cipher suites for TLS/SSL.Vulnerable JavaScript libraries: The frontend uses JavaScript libraries that contain known security vulnerabilities.
Solutions
Insecure Transportation Security Protocol Supported (TLS 1.0): You can disable the TLS 1.0 protocol in OSS, CDN, DCDN, or Edge Security Acceleration (ESA).HTTP Strict Transport Security (HSTS) Policy Not Enabled: In CDN or DCDN, you can configure and enable HSTS to force clients to use HTTPS.TLS/SSL Weak Cipher Suites: In CDN, DCDN, or ESA, you can disable weak cipher suites and select high-security encryption algorithms.Vulnerable JavaScript libraries: This vulnerability can lead to threats such as cross-site scripting (XSS) attacks and SQL injection. You can use the Managed Rules feature of ESA Standard Edition to protect against these threats. For more information, see Managed rules.