Implement 'Strict-Transport-Security' in Header (HSTS)
search cancel

Implement 'Strict-Transport-Security' in Header (HSTS)

book

Article ID: 232148

calendar_today

Updated On:

Products

CA Service Management - Service Desk Manager

Issue/Introduction

Customer wants to implement "HTTP Strict Transport Security (HSTS)" in Service Management

This is an optional response header that can be configured on the server to instruct the browser to only communicate over HTTPS.

This will be enforced by the browser even if the user requests an HTTP resource on the same server.

If the page has HTTPS, applying this header is optional.

Some browsers already have this feature.

Environment

Release : 17.3

Component : SDM - Vulnerability

Resolution

This solution utilizes the following NX variables:

@NX_X_XSS_PROTECTION - when set to YES will send X-XSS Protection http header as part of response

@NX_X_CONTENT_TYPE_OPTIONS - when set to YES will send X-Content-Type-Options http header as part of response

@NX_STRICT_TRANSPORT_SECURITY - when set to YES will send Strict-Transport-Security http header as part of response

@NX_STRICT_TRANSPORT_SECURITY - requires NX_STS_MAX_AGE header to set the expiry time

@NX_STS_MAX_AGE - when set to a value of number of seconds (default value: 31536000) , will add max-age= attribute on Strict-Transport-Security http header as part of response.

Install this option by executing the following command on the primary server:

pdm_options_mgr -c -s X_XSS_PROTECTION -v YES -a pdm_option.inst pdm_options_mgr -c -s X_CONTENT_TYPE_OPTIONS -v YES -a pdm_option.inst pdm_options_mgr -c -s STRICT_TRANSPORT_SECURITY -v YES -a pdm_option.inst  pdm_options_mgr -c -s STS_MAX_AGE -v 31536000 -a pdm_option.inst

To avoid losing changes to pdm_configure command, execute this command with the -t option:

pdm_options_mgr -c -s X_XSS_PROTECTION -v YES -a pdm_option.inst -t pdm_options_mgr -c -s X_CONTENT_TYPE_OPTIONS -v YES -a pdm_option.inst -t pdm_options_mgr -c -s STRICT_TRANSPORT_SECURITY -v YES -a pdm_option.inst -t pdm_options_mgr -c -s STS_MAX_AGE -v 31536000 -a pdm_option.inst -tDE28118

Uninstall the NX Variables
Uninstall this option by executing the following command on the primary server:

pdm_options_mgr -c -s X_XSS_PROTECTION -v YES -a pdm_option.deinstpdm_options_mgr -c -s X_CONTENT_TYPE_OPTIONS -v YES -a pdm_option.deinstpdm_options_mgr -c -s STRICT_TRANSPORT_SECURITY -v YES -a pdm_option.deinstpdm_options_mgr -c -s STS_MAX_AGE -v 31536000 -a pdm_option.deinst
To avoid losing changes to pdm_configure command, execute this command with the -t option:

pdm_options_mgr -c -s X_XSS_PROTECTION -v YES -a pdm_option.deinst -t pdm_options_mgr -c -s X_CONTENT_TYPE_OPTIONS -v YES -a pdm_option.deinst -t pdm_options_mgr -c -s STRICT_TRANSPORT_SECURITY -v YES -a pdm_option.deinst -t pdm_options_mgr -c -s STS_MAX_AGE -v 31536000 -a pdm_option.deinst -t
For every secondary server that you have configured, manually add or update the NX Variable on all secondary servers from the NX.env file in the $NX_ROOT directory. Restart CA SDM for the new NX variables to take effect.

Additional Information

Prob DE31528

https://techdocs.broadcom.com/us/en/ca-enterprise-software/business-management/ca-service-management/14-1/implementing/implement-ca-service-management-14-1-04/post-install-tasks-for-ca-service-management-14-1-04/post-install-steps-for-ca-service-desk-manager/optional-steps-for-specific-issues-when-installing-ca-sdm-14-1-04.html