AWI: Security Vulnerability: No HSTS Headers
search cancel

AWI: Security Vulnerability: No HSTS Headers

book

Article ID: 187684

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine

Issue/Introduction

During a security review, Automic Web Interface or Analytics may respond as a risk by not returning HSTS headers.
This may show up as HTTP Security Header Not Detected and is related to Tomcat rather than AWI or Analytics.
 

Environment

Release : v12.2 / v12.3

Component : AUTOMATION ENGINE

Cause

This is due to the configuration of Tomcat, not AWI or Analytics. 

Resolution

While this is Tomcat specific, the adding the following to conf/web.xml may be successful :

<filter>
  <filter-name>httpHeaderSecurity</filter-name>
  <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
  <async-supported>true</async-supported>

  <init-param>
    <param-name>antiClickJackingEnabled</param-name>

    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>hstsEnabled</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>hstsMaxAgeSeconds</param-name>
    <param-value>31536000</param-value>
  </init-param>
  <init-param>
    <param-name>hstsIncludeSubDomains</param-name>
    <param-value>true</param-value>
  </init-param>

  <init-param>
    <param-name>xssProtectionEnabled</param-name>
    <param-value>true</param-value>
  </init-param>

  <init-param>
    <param-name>blockContentTypeSniffingEnabled</param-name>

    <param-value>true</param-value>
  </init-param>
</filter>
 
<!-- The mapping for the HTTP header security Filter -->
<filter-mapping>
  <filter-name>httpHeaderSecurity</filter-name>
  <url-pattern>/*</url-pattern>
  <dispatcher>REQUEST</dispatcher>
</filter-mapping>

Additional Information

See https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html#HTTP_Header_Security_Filter 

Powered by Wolken Software