AWI: Security Vulnerability: No HSTS Headers
search cancel

AWI: Security Vulnerability: No HSTS Headers

book

Article ID: 187684

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine CA Automic One Automation

Issue/Introduction

During a security review, Automic Web Interface or Analytics may respond as a risk by not returning HSTS headers.
This may show up as HTTP Security Header Not Detected and is related to Tomcat rather than AWI or Analytics.
 

Environment

Release : v12.2 / v12.3

Component : AUTOMATION ENGINE

Cause

This is due to the configuration of Tomcat, not AWI or Analytics. 

Resolution

While this is Tomcat specific, the adding the following to conf/web.xml may be successful :

<filter>
  <filter-name>httpHeaderSecurity</filter-name>
  <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
  <async-supported>true</async-supported>

  <init-param>
    <param-name>antiClickJackingEnabled</param-name>

    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>hstsEnabled</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>hstsMaxAgeSeconds</param-name>
    <param-value>31536000</param-value>
  </init-param>
  <init-param>
    <param-name>hstsIncludeSubDomains</param-name>
    <param-value>true</param-value>
  </init-param>

  <init-param>
    <param-name>xssProtectionEnabled</param-name>
    <param-value>true</param-value>
  </init-param>

  <init-param>
    <param-name>blockContentTypeSniffingEnabled</param-name>

    <param-value>true</param-value>
  </init-param>
</filter>
 
<!-- The mapping for the HTTP header security Filter -->
<filter-mapping>
  <filter-name>httpHeaderSecurity</filter-name>
  <url-pattern>/*</url-pattern>
  <dispatcher>REQUEST</dispatcher>
</filter-mapping>

Additional Information

See https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html#HTTP_Header_Security_Filter 

Note: You may still see the HSTS vulnerability show up at https://tomcatservername.example.com:8443, but not at https://tomcatservername.example.com:8443/awi This is a product limitation with the integration with tomcat and one that would require an enhancement to the product to change.  With the Jetty AWI, there are settings that can be put in place to fully resolve this.  Please see the documentation for more information.

Powered by Wolken Software