Security teams detect a vulnerability related to HTTP Security Header Not Detected.
Release : 20.4
Component : UIM - SECURITY VULNERABILITIES
This vulnerability is not typically caused by UIM, rather it usually refers to IIS, Apache, and other web servers, etc.
If there is a specific component being implicated please let support know the details.
Otherwise, your web server team should address the vulnerability independent of UIM.
There are many web articles explaining how to remediate this vulnerability if you search for "HTTP Security Header Not Detected."
Customers are advised to set proper X-Content-Type-Options (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options) and Strict-Transport-Security (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) HTTP response headers.
Depending on their server software, customers can set directives in their site configuration or Web.config files.
A few examples are:
X-Content-Type-Options:
Apache: Header always set X-Content-Type-Options: nosniff
HTTP Strict-Transport-Security:
Apache: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Nginx: add_header Strict-Transport-Security max-age=31536000;
Note: Network devices that include a HTTP/HTTPS console for administrative/management purposes often do not include all/some of the security headers. This is a known issue and it is recommended to contact the device vendor for a solution.
==================================================================