We just switched over from Versapay to MerchantE for our credit card processing. As part of the process, MerchantE had us register with Security Metrics for PCI compliance. They scanned our website for vulnerabilities, and it is failing the scan due to HSTS Missing From HTTPS Server (RFC 6797):

The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections. See also : <https://tools.ietf.org/html/rfc6797>

Has anyone encountered this before? We are on SuiteCommerce Standard.

I was looking into this. We do have the option in the config record so that you can set your own response headers. However, on closer inspection it looks like Strict-Transport-Security is actually one of the ones that is on our blocklist. I don’t actually know why that is the case. Speaking of cases, you could raise one either asking to have this set on your account / site as a one-off change (which should be possible) or to add your name to an enhancement request to have this added as a feature.

Thanks @Steve Goldberg

Well I suppose it depends what kind of scan you’re doing but yes, that’s the wording of TOS