VA scan detected "HSTS Missing From HTTPS Server" vulnerability on TCP 8443 on CA PIM 14.0 on Windows Server 2016.
Release : 14.0
Component : ENTM
HSTS is not returned by default.
Test URL: https://entm:8443/ca-nim-sm/api/
HTTP/1.1 401 Unauthorized
Content-Type: application/xml
Content-Length: 317
Date: Thu, 02 Sep 2021 03:06:12 GMT
Server: PIMProxy
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Error xmlns="http://ns.ca.com/2013/06/sm-normalization">
<ErrorCode>139</ErrorCode>
<ErrorMessage>Request unauthorized</ErrorMessage>
<HTTPResponseCode>UNAUTHORIZED</HTTPResponseCode>
<HTTPResponseCodeValue>401</HTTPResponseCodeValue>
</Error>
As seen above, there is no "Strict-Transport-Security" header in the response.
Please follow the steps below modifying the "C:\Program Files\CA\AccessControlServer\apache-tomcat-7.0.72\conf\web.xml".
1. Uncomment the httpHeaderSecurity filter definition section, and then add the hstsMaxAgeSeconds parameter, as shown below.
From | <!-- <filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <async-supported>true</async-supported> </filter> --> |
To | <filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <init-param> <param-name>hstsEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>maxAgeSeconds</param-name> <param-value>31536000</param-value> </init-param> <init-param> <param-name>includeSubDomains</param-name> <param-value>true</param-value> </init-param> <async-supported>true</async-supported> </filter> |
2. Uncomment the httpHeaderSecurity <filter-mapping> section.
From | <!-- <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping> --> |
To | <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <url-pattern>*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping> |
3. Restart tomcat
This time the "Strict-Transport-Security" header appears in the response.
https://entm:8443/ca-nim-sm/api/
HTTP/1.1 401 Unauthorized
Strict-Transport-Security: max-age=31536000;includeSubDomains
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Type: application/xml
Content-Length: 317
Date: Thu, 02 Sep 2021 03:17:14 GMT
Server: PIMProxy
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Error xmlns="http://ns.ca.com/2013/06/sm-normalization">
<ErrorCode>139</ErrorCode>
<ErrorMessage>Request unauthorized</ErrorMessage>
<HTTPResponseCode>UNAUTHORIZED</HTTPResponseCode>
<HTTPResponseCodeValue>401</HTTPResponseCodeValue>
</Error>