Adding Strict Transport Security (HSTS) Headers to the vCenter Server Appliance Management Interface (VAMI)
search cancel

Adding Strict Transport Security (HSTS) Headers to the vCenter Server Appliance Management Interface (VAMI)

book

Article ID: 327797

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
Customers may receive reports from a security scan that the vCenter Server Appliance Management Interface lacks the Strict Transport Security (HSTS) headers.

Environment

VMware vCenter Server Appliance 6.7.x
VMware vCenter Server Appliance 6.5.x

Cause

The lighttp daemon does not include these headers by default.

Resolution

You can modify the /etc/applmgmt/appliance/lighttpd.conf file to include this header.

Replace the lines:

setenv.add-response-header = ( "X-UA-Compatible" => "IE=edge",
                               "X-Frame-Options" => "Deny" )

With the following:

setenv.add-response-header = ( "X-UA-Compatible" => "IE=edge",
                               "X-Frame-Options" => "Deny",
                               "Strict-Transport-Security" => "max-age=31536000; includeSubdomains" )

Restart the lighttp daemon:

systemctl restart vami-lighttp

Powered by Wolken Software