search cancel

Product Vulnerability - StrictTransportSecurity Header setting

book

Article ID: 202695

calendar_today

Updated On:

Products

CA Spectrum CA eHealth

Issue/Introduction

A Penetration test has identified

Set the StrictTransportSecurity header to: “maxage=31536000”. If all subdomains require HTTPS, set the StrictTransportSecurity header to: “maxage=31536000; includeSubDomains”.

Environment

Release : 10.4.2.1

Component : Spectrum Core / SpectroSERVER

Resolution

In Spectrum 10.4.2.1 (aka NetOps 20.2.3) the HTTP Strict Transport Security (HSTS) settings is enabled by default.

With the httpHeaderSecurity filter added, Strict-Transport-Security header must have been added to the HTTP response but with max-age as 0.

This reported vulnerability is suggesting to set a non-zero max-age value. For this you can add this init parameter :

hstsMaxAgeSeconds with value 31536000

web.xml httpHeaderSecurity section after adding this parameter looks like this:

<filter>

<filter-name>httpHeaderSecurity</filter-name>

               <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>

               <init-param>

                               <param-name>antiClickJackingOption</param-name>

                               <param-value>SAMEORIGIN</param-value>

               </init-param>

<init-param>

                               <param-name>hstsMaxAgeSeconds</param-name>

                               <param-value>31536000</param-value>

               </init-param>

               <async-supported>true</async-supported>

</filter>