search cancel

QID 11827 Vulnerability on 1505 after implementing SSL in 10.4


Article ID: 141141


Updated On:


CA Cloud Test Mobile CA Application Test


We see that once we implemented the SSL protocol in two DevTest environments, both those environments now are coming up with the 1505 QID 11827 vulnerability in version 10.4 


Release : 10.4

Component : CA Service Virtualization


Strict-Transport Security" header is applicable for HTTPs requests only. The "HTTP Security Header Not detected for port 1505" vulnerability reported for "Strict-Transport-Security

We have a Fix for this: 

 "patch_DE439275_10.4.0_GA.jar". This includes both "X-XSS-Protection HTTP Header missing on port 1505" and "Strict-Transport-Security HTTP Header missing on port 1505" fixes. 


Steps to apply:

1. Stop all the services.

2. Go to the /lib/patches folder. (Create the patches folder if it doesn't exist).

3. Copy and paste the attached patch 'patch_DE439275_10.4.0_GA.jar' into the patches folder.

4. Restart all the components.

5. Run a scan.

Additionally, you can verify the fix by hitting the URL "https://localhost:1505" in a browser after applying the patch and verify the response headers listed under the browser Network tab for that URL. You should now
see the below response headers:

Strict-Transport-Security: max-age=31556926; includeSubDomains

Content-Security-Policy: default-src *; style-src * 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; img-src * data: 'unsafe-inline'; connect-src * 'unsafe-inline'; frame-src *;

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1;mode=block

Note: Apply this patch on all the machines where the Devtest components are running.


Please open  a support ticket for this.  And reference DE439275 in the description.