Some of the assets on which we have PAM installed shows this vulnerability: "HTTP Security Header Not Detected"

Diagnosis:

X-Frame-Options: This HTTP response header improves the protection of web applications against clickjacking attacks. Clickjacking, also known as a "UI redress attack", allows an attacker to use multiple transparent or opaque layers to trick a targeted user into clicking on a button or link on another page when they were intending to click on the the top level page.
X-XSS-Protection: This HTTP header enables the browser built-in Cross-Site Scripting (XSS) filter to prevent cross-site scripting attacks. X-XSS-Protection: 0; disables this functionality.
X-Content-Type-Options: This HTTP header prevents attacks based on MIME-type mismatch. The only possible value is nosniff. If your server returns X-Content-Type-Options: nosniff in the response, the browser will refuse to load the styles and scripts in case they have an incorrect MIME-type.
Strict-Transport-Security: The HTTP Strict-Transport-Security response header (HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP.

This is the proposed fix:
Customers are advised to set proper X-Frame-Options, X-XSS-Protection, X-Content-Type-Options and Strict-Transport-Security HTTP response headers.

Release : 4.3 and 4.4

Component : Process Automation

HSTS is enabled in ITPAM and has been since approximately version 3.1.

Here is how to verify this:

Using Internet Explorer or Chrome, go to the ITPAM login page. 
Hit "F12" on the keyboard to open the developers' console.
Select the "Network" tab.

If there is nothing loaded yet, hit "CTRL+R" and you will now see the console populated. 

From there select an element, for example, r7Login.css.
In the headers will be a "response headers" section, and you will see listed in that:

   Strict-Transport-Security: max-age=31536000
   
This tells you that HSTS is enabled in ITPAM.

If the vulnerability report identifies this vulnerability in the root URL for the ITPAM server, here is the solution:

ITPAM 4.3.5 version uses JBoss 5.x as a container. ITPAM Application is configured with HSTS Headers however the out of the box JBoss 5.x module "PAM\server\c2o\deploy\ROOT.war" is not configured with HSTS.

PAM 4.4 uses WildFly as the container and we can configure HSTS for root level as well.

Having said that, we have the following options to fix this.

1. We can upgrade PAM to the PAM 4.4 so that we can configure HSTS accordingly. 
2. We can delete the "PAM\server\c2o\deploy\ROOT.war" file as there is no functional impact except the auto redirection to /itpam context.
   
   

Please note that the Strict Transport Setting will only be shown in the Console Browser under r7Login.css

The strict-transport header is enabled at the container level through web.xml.

This is required for protected URLs and the server will add the header automatically after login is completed successfully.