We see that once we implemented the SSL protocol in two DevTest environments, both those environments now are coming up with the 1505 QID 11827 vulnerability in version 10.4
Release : 10.4
Component : CA Service Virtualization
Strict-Transport Security" header is applicable for HTTPs requests only. The "HTTP Security Header Not detected for port 1505" vulnerability reported for "Strict-Transport-Security
We have a Fix for this:
"patch_DE439275_10.4.0_GA.jar". This includes both "X-XSS-Protection HTTP Header missing on port 1505" and "Strict-Transport-Security HTTP Header missing on port 1505" fixes.
Steps to apply:
1. Stop all the services.
2. Go to the /lib/patches folder. (Create the patches folder if it doesn't exist).
3. Copy and paste the attached patch 'patch_DE439275_10.4.0_GA.jar' into the patches folder.
4. Restart all the components.
5. Run a scan.
Additionally, you can verify the fix by hitting the URL "https://localhost:1505" in a browser after applying the patch and verify the response headers listed under the browser Network tab for that URL. You should now
see the below response headers:
Strict-Transport-Security: max-age=31556926; includeSubDomains
Content-Security-Policy: default-src *; style-src * 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; img-src * data: 'unsafe-inline'; connect-src * 'unsafe-inline'; frame-src *;
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1;mode=block
Note: Apply this patch on all the machines where the Devtest components are running.
Please open a support ticket for this. And reference DE439275 in the description.