HSTS not turned on - Security Console


I’m a security engineer (junior), just getting started with Rapid7.

We are running insightVM security console in a locked down environment.

We access it using a browser

The pen test guys came in and said “you don’t have HSTS turned on in the security console webserver, this is a security risk, please turn it on”.

I can’t figure out how to turn on HSTS. The documentation says that the security console is running an “embedded web server” - I’m familiar with apache and nginx - but I can’t see any documentation about how to turn on HSTS on the security console embedded web server.

Was wondering how to turn it on.


Not a direct answer, but I think a nudge in the right direction.