Severity Update on plugin 84502 (HSTS Missing From HTTPS...

Hi @Edgar Coss​ ,

at least for us (tenable customer) this change makes sense for a number of reasons:

• this plugin also alerts a missing HSTS header on systems which are scanned by IP. Since you cannot get valid TLS-Certs on IPs a strict redirection to a HTTPS port cannot sent you to a secure site (since the site you're being forwarded to is presenting a wrong Cert).
• this plugin only makes sense on http endpoints which are accessed by endusers (ie browsers; See 2.1. Use-Cases in the RFC6797). In cases where the backend is scanned, the HSTS header doesn't make sense, since you typically configure the service which consumes the services of the scanned host to use a certain port. Most http-libraries which are used in backends do not support HSTS at all. Besides, HSTS is a standard to prevent End-User mistakes (accidentally browsing to an unsecure port). In Backend scenarios you should have explicit configurations and not relying on a redirect.

Don't get me wrong: its a valid approach to scan for this issue, but I'd say it only makes sense in a Web-App Scanner, not on the infrastructure scans.