Symantec Data Loss Prevention (DLP) Enforce
A vulnerability scanner shows that the DLP Web Server (Tomcat) displays a possible vulnerability involving missing security headers.
How do you confirm the presence of HTTP security headers.
Often vulnerability scanners pick up missing headers, as there are none for the front site that comes before the logon page.
The scan detects the vulnerability before the Enforce web page loads.
The redirect page is built on the base tomcat instance.
It has no sensitive information in it or access to the underlying web server components.
Thus, the scanner picks up a "vulnerability".
This reported vulnerability is nothing to worry about and all checks should be made from: https://[ENFORCE URL]
As soon as the Protect Manager web app kicks in, that is where DLP resides, all protections are in place.
To confirm HTTP security headers. Take the following steps:
In Internet Explorer:
In Mozilla Firefox:
All examples are from a 15.5 DLP environment.
This applies to:
QID-11827 - Security Header Not Detected