HSTS headers missing for JCP and REST processes
search cancel

HSTS headers missing for JCP and REST processes

book

Article ID: 401761

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine

Issue/Introduction

The JCP and REST API interfaces do not provide HSTS when connecting. Our security regulations demand this.

When running curl against REST and JCP endpoints, the strict-transport-security and x-content-type-options headers must be present in the response (if configured to be enabled)

 

 

 

Cause

Some headers need to be available in the REST and JCP responses:

  • strict-transport-security https://owasp.org/www-project-secure-headers/#strict-transport-security
  • x-content-type-options https://owasp.org/www-project-secure-headers/#x-content-type-options

It is recommended by OWASP to return this. This was already added for AWI, but left out REST and JCP.

https://broadcomcms-software.wolkenservicedesk.com/external/article?articleNumber=388837

Resolution

Solution:

Update to a fix version listed below or a newer version if available.


Fix version:

Component(s): Automation Engine

Automation.Engine 24.4.0 - Available

 

The HTTP/HTTPS header can now be configured in client 0 in the variable UC_HTTP_RESPONSE_HEADER:

https://docs.automic.com/documentation/webhelp/english/ALL/components/DOCU/24.4.0/Automic%20Automation%20Guides/Content/AWA/Variables/UC_HTTP_RESPONSE_HEADER.htm

Powered by Wolken Software