Enabling HTTP Strict Transport Security in vRealize Log Insight
Article ID: 315970
Updated On:
Products
VMware Aria Suite
Issue/Introduction
The absence of the HTTP Strict Transport Security (HSTS) header in a response can lead to eavesdropping as well as Man-in-the-Middle and active network attacks.
HSTS reduces instances of requests and responses being intercepted, as well as downgrades from secure HTTPS to unencrypted HTTP connections. The availability of pages outside of a secured context can cause legitimate users to believe that the session is secure, so therefore they might submit private information in clear text.
Without HSTS, things such as Clickjacking, X-Content-Type-Options Header Check, and X-XSS-Protection Header Check can occur.
HSTS reduces instances of requests and responses being intercepted, as well as downgrades from secure HTTPS to unencrypted HTTP connections. The availability of pages outside of a secured context can cause legitimate users to believe that the session is secure, so therefore they might submit private information in clear text.
Without HSTS, things such as Clickjacking, X-Content-Type-Options Header Check, and X-XSS-Protection Header Check can occur.
Environment
VMware vRealize Log Insight 8.1.x
VMware vRealize Log Insight 8.2.x
VMware vRealize Log Insight 8.2.x
Resolution
- Open the vRealize Log Insight configuration user interface by navigating to IP_or_FQDN/internal/config.
Note: Replace IP_or_FQDN with the IP Address or FQDN of the Primary vRealize Log Insight node.
- Enable the Show all setting checkbox.
- In the configuration settings pane, find the anticlickjacking parameter and hange the value to true to enable it.
Example: <anticlickjacking-enabled value="true" />
- Click Save at the bottom of the page.
Note: This change will be propagated to all nodes in the cluster.
- Log into the Primary node as root via SSH or Console, pressing ALT+F1 in a Console to log in.
- Run the following command to restart the loginsight service:
service loginsight restart
- Repeat step 6 on all other nodes in the cluster.
Additional Information
To verify if you have enabled HSTS, run the below command from any vRealize Log Insight node as root via SSH or Console, pressing ALT+F1 in a Console to log in:
curl --insecure https://IP_or_FQDN -I
Note: Replace IP_or_FQDN with the IP Address or FQDN of the Primary vRealize Log Insight node.
If HSTS is enabled, you will see output similar to:
HTTP/1.1 302
Cache-Control: no-store, no-cache, max-age=0
Pragma: no-cache
Strict-Transport-Security: max-age=31536000;includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Impact/Risks:
Enabling HSTS will cause vRealize Log Insight to be unable to be displayed in iFrames in other applications, such as vRealize Operations.
For example, after enabling HSTS you will not be able to select a resource and open appropriate logs directly from vRealize Operations.
curl --insecure https://IP_or_FQDN -I
Note: Replace IP_or_FQDN with the IP Address or FQDN of the Primary vRealize Log Insight node.
If HSTS is enabled, you will see output similar to:
HTTP/1.1 302
Cache-Control: no-store, no-cache, max-age=0
Pragma: no-cache
Strict-Transport-Security: max-age=31536000;includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Impact/Risks:
Enabling HSTS will cause vRealize Log Insight to be unable to be displayed in iFrames in other applications, such as vRealize Operations.
For example, after enabling HSTS you will not be able to select a resource and open appropriate logs directly from vRealize Operations.
Feedback
Yes
No
Powered by
