Implement 'Strict-Transport-Security' in Header (HSTS)
search cancel

Implement 'Strict-Transport-Security' in Header (HSTS)

book

Article ID: 232148

calendar_today

Updated On:

Products

CA Service Management - Service Desk Manager

Issue/Introduction

Customer wants to implement "HTTP Strict Transport Security (HSTS)" in Service Management

This is an optional response header that can be configured on the server to instruct the browser to only communicate over HTTPS.

This will be enforced by the browser even if the user requests an HTTP resource on the same server.

If the page has HTTPS, applying this header is optional.

Some browsers already have this feature.

Environment

Release : 17.3

Component : SDM - Vulnerability

Resolution

This solution utilizes the following NX variables:

@NX_X_XSS_PROTECTION - when set to YES will send X-XSS Protection http header as part of response

@NX_X_CONTENT_TYPE_OPTIONS - when set to YES will send X-Content-Type-Options http header as part of response

@NX_STRICT_TRANSPORT_SECURITY - when set to YES will send Strict-Transport-Security http header as part of response

@NX_STRICT_TRANSPORT_SECURITY - requires NX_STS_MAX_AGE header to set the expiry time

@NX_STS_MAX_AGE - when set to a value of number of seconds (default value: 31536000) , will add max-age= attribute on Strict-Transport-Security http header as part of response.

Install these options by executing the following commands on the CA SDM server:

pdm_options_mgr -c -s X_XSS_PROTECTION -v YES -a pdm_option.inst

pdm_options_mgr -c -s X_CONTENT_TYPE_OPTIONS -v YES -a pdm_option.inst

pdm_options_mgr -c -s STRICT_TRANSPORT_SECURITY -v YES -a pdm_option.inst  

pdm_options_mgr -c -s STS_MAX_AGE -v 31536000 -a pdm_option.inst

To avoid losing changes to pdm_configure command, execute this command with the -t option:

pdm_options_mgr -c -s X_XSS_PROTECTION -v YES -a pdm_option.inst -t

pdm_options_mgr -c -s X_CONTENT_TYPE_OPTIONS -v YES -a pdm_option.inst -t

pdm_options_mgr -c -s STRICT_TRANSPORT_SECURITY -v YES -a pdm_option.inst -t

pdm_options_mgr -c -s STS_MAX_AGE -v 31536000 -a pdm_option.inst -t

If you wish to uninstall these options, execute the following command on the CA SDM server:

pdm_options_mgr -c -s X_XSS_PROTECTION -v YES -a pdm_option.deinst

pdm_options_mgr -c -s X_CONTENT_TYPE_OPTIONS -v YES -a pdm_option.deinst

pdm_options_mgr -c -s STRICT_TRANSPORT_SECURITY -v YES -a pdm_option.deinst

pdm_options_mgr -c -s STS_MAX_AGE -v 31536000 -a pdm_option.deinst

To avoid losing changes to pdm_configure command, execute this command with the -t option:

pdm_options_mgr -c -s X_XSS_PROTECTION -v YES -a pdm_option.deinst -t

pdm_options_mgr -c -s X_CONTENT_TYPE_OPTIONS -v YES -a pdm_option.deinst -t

pdm_options_mgr -c -s STRICT_TRANSPORT_SECURITY -v YES -a pdm_option.deinst -t

pdm_options_mgr -c -s STS_MAX_AGE -v 31536000 -a pdm_option.deinst -t

Restart the CA SDM service for the new NX variables to take effect.