ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

AWI: Security Vulnerability: No HSTS Headers

book

Article ID: 187684

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine

Issue/Introduction

During a security review, Automic Web Interface or Analytics may respond as a risk by not returning HSTS headers.
This may show up as HTTP Security Header Not Detected and is related to Tomcat rather than AWI or Analytics.
 

Cause

This is due to the configuration of Tomcat, not AWI or Analytics. 

Environment

Release : v12.2 / v12.3

Component : AUTOMATION ENGINE

Resolution

While this is Tomcat specific, the adding the following to conf/web.xml may be successful :

<filter>
  <filter-name>httpHeaderSecurity</filter-name>
  <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
  <async-supported>true</async-supported>

  <init-param>
    <param-name>antiClickJackingEnabled</param-name>

    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>hstsEnabled</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>hstsMaxAgeSeconds</param-name>
    <param-value>31536000</param-value>
  </init-param>
  <init-param>
    <param-name>hstsIncludeSubDomains</param-name>
    <param-value>true</param-value>
  </init-param>

  <init-param>
    <param-name>xssProtectionEnabled</param-name>
    <param-value>true</param-value>
  </init-param>

  <init-param>
    <param-name>blockContentTypeSniffingEnabled</param-name>

    <param-value>true</param-value>
  </init-param>
</filter>
 
<!-- The mapping for the HTTP header security Filter -->
<filter-mapping>
  <filter-name>httpHeaderSecurity</filter-name>
  <url-pattern>/*</url-pattern>
  <dispatcher>REQUEST</dispatcher>
</filter-mapping>

Additional Information

See https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html#HTTP_Header_Security_Filter