Our QUALYS software is finding the following deficiencies when scanning the Vantage WebUI. We need the proper configuration in the Vantage WebUI to address this.
The QUALYS software is reporting that the following HTTP headers are missing: X-Frame-Options, X-XSS-Protection HTTP and X-Content-Type-Options.
Here are some of the diagnostics produced by the QUALYS software:
Please make a request for the starting URI in your web application and check its response headers using a proxy. One or more of the above headers must be missing in the response.
Various settings in the Vantage Web UI file 'web.xml' need to be activated/enabled/modified to avoid this security exposure.
Release : 14.0
Component : CA Vantage Storage Resource Manager
Vantage WebUI (Client)
To resolve this problem of missing HTTP headers (as reported by the QUALYS software product) - 'X-Frame-Options', 'X-XSS-Protection HTTP', and 'X-Content-Type-Options' -
we need to enable the Secure HTTP Header in Apache Tomcat. Here are the steps to do this:
1. Stop the Vantage WebUI task.
2. Navigate to the 'conf' directory of the tomcat 'runtime' directory and find file 'web.xml', such as:
This location is the Vantage WebUI 'runtime'.
3. Open for edit the file 'web.xml' (you can use ISPF option =3.17 and edit it as ASCII).
4. Navigate to line 493 and uncomment the following section:
... by removing the '<!--' and '-->' before and after the filter.
5. Navigate to line 590 and uncomment and edit the following section:
... by removing the comment in XML '<!--' and '-->' before and after the '<filter-mapping>', and delete the line with the text '<dispatcher>'.
Your filter mapping should look like this after the change:
6. Save the file.
7. Start the Vantage WebUI task.
After applying this configuration change the result in the HTTP headers will be:
To see the configuration results in the HTTP headers, you can use the 'curl' command, such as:
curl -X HEAD -I http://[URL]:[PORT]/VantageGMI/
You can perform 'curl' from your PC. If you are using Windows 10, it should already be installed:
Open the Windows command prompt ( Start -> run -> cmd)
... then try the 'curl' command from the command prompt. If you are running Linux, then the 'curl' command should already be available. Either way, it is best to have 'curl' available (installed) on your workstation and then perform the 'curl' call to verify the HTTP headers.
Sample output of the 'curl' would appear, such as:
X-XSS-Protection: 1; mode=block
Last-Modified: Wed, 02 Dec 2020 20:18:46 GMT
Date: Mon, 12 Apr 2021 13:53:57 GMT
The Postman user interface can also be used to verify the headers, such as:
A 'Get' call can be performed on the Vantage WebUI, and the header section will be visible with the required information, as demonstrated above.