VANWEBUI not enforcing HSTS
search cancel

VANWEBUI not enforcing HSTS

book

Article ID: 412512

calendar_today

Updated On:

Products

Vantage Storage Resource Manager

Issue/Introduction

The vulnerability scans have highlighted the following:
"The remote web server is not enforcing HSTS, as defined by RFC 6797. 
HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections."

How enforce HSTS for the default ports of 8080 and 7080 (swagger-ui.html). 

 

 

Resolution

Regarding the "'strict-transport-security' header, the tomcat should be configured to use SSL, since it is returned over HTTPS only.

It is enabled by default.

To set a max-age, in {Tomcat}/conf/web.xml:

  <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
             <param-name>antiClickJackingOption</param-name>
             <param-value>SAMEORIGIN</param-value>
        </init-param>
  </filter>

It can be updated with:


  <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
             <param-name>antiClickJackingOption</param-name>
             <param-value>SAMEORIGIN</param-value>
        </init-param>
        <init-param>
             <param-name>hstsMaxAgeSeconds</param-name>
             <param-value>15552000</param-value>
        </init-param>
  </filter>

 

Powered by Wolken Software