How to verify that HSTS is enabled for ITPAM

book

Article ID: 197850

calendar_today

Updated On:

Products

CA Process Automation Base

Issue/Introduction

Some of the assets on which we have PAM installed shows this vulnerability: "HTTP Security Header Not Detected"

Diagnosis:

X-Frame-Options: This HTTP response header improves the protection of web applications against clickjacking attacks. Clickjacking, also known as a "UI redress attack", allows an attacker to use multiple transparent or opaque layers to trick a targeted user into clicking on a button or link on another page when they were intending to click on the the top level page.
X-XSS-Protection: This HTTP header enables the browser built-in Cross-Site Scripting (XSS) filter to prevent cross-site scripting attacks. X-XSS-Protection: 0; disables this functionality.
X-Content-Type-Options: This HTTP header prevents attacks based on MIME-type mismatch. The only possible value is nosniff. If your server returns X-Content-Type-Options: nosniff in the response, the browser will refuse to load the styles and scripts in case they have an incorrect MIME-type.
Strict-Transport-Security: The HTTP Strict-Transport-Security response header (HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP.


This is the proposed fix:
Customers are advised to set proper X-Frame-Options, X-XSS-Protection, X-Content-Type-Options and Strict-Transport-Security HTTP response headers.


Environment

Release : 4.3

Component : Process Automation

Resolution

HSTS is enabled in ITPAM and has been since approximately version 3.1.

Here is how to verify this:

Using Internet Explorer or Chrome, go to the ITPAM login page. 
Hit "F12" on the keyboard to open the developers' console.
Select the "Network" tab.

If there is nothing loaded yet, hit "CTRL+R" and you will now see the console populated. 

From there select an element, for example, r7Login.css.
In the headers will be a "response headers" section, and you will see listed in that:

   Strict-Transport-Security: max-age=31536000
   
This tells you that HSTS is enabled in ITPAM.