search cancel

HTTP Security Header Not Detected

book

Article ID: 242225

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM) CA Unified Infrastructure Management On-Premise (Nimsoft / UIM) CA Unified Infrastructure Management SaaS (Nimsoft / UIM) Unified Infrastructure Management for Mainframe

Issue/Introduction

Security teams detect a vulnerability related to HTTP Security Header Not Detected.

Environment

Release : 20.4

Component : UIM - SECURITY VULNERABILITIES

Resolution

This vulnerability is not typically caused by UIM, rather it usually refers to IIS, Apache, and other web servers, etc.

If there is a specific component being implicated please let support know the details.

Otherwise, your web server team should address the vulnerability independent of UIM.

There are many web articles explaining how to remediate this vulnerability if you search for "HTTP Security Header Not Detected."

Customers are advised to set proper X-Content-Type-Options (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options) and Strict-Transport-Security (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) HTTP response headers.
 
Depending on their server software, customers can set directives in their site configuration or Web.config files. 

A few examples are: 

X-Content-Type-Options: 
Apache: Header always set X-Content-Type-Options: nosniff 
HTTP Strict-Transport-Security: 
Apache: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" 
Nginx: add_header Strict-Transport-Security max-age=31536000; 
Note: Network devices that include a HTTP/HTTPS console for administrative/management purposes often do not include all/some of the security headers. This is a known issue and it is recommended to contact the device vendor for a solution.
==================================================================