Security scans (such as Qualys) may report a vulnerability indicating that HTTP Security Headers are not detected on the Identity Suite vApp. Specifically, the following headers may be missing, which corresponds to CWE-693: Protection Mechanism Failure:

• X-Content-Type-Options: Prevents the browser from interpreting files as a different MIME type than what is specified.
• Strict-Transport-Security (HSTS): Ensures the browser only interacts with the server via secure HTTPS connections.

On the vApp platform, the httpd.conf file cannot be manually updated by the config user to add these headers.

vApp 14.5.1 CHF1 or later

Engineering has created a fix that will update the configuration of the httpd.conf to handle the vulnerability which is to be applied on all vApp nodes.

Hotfix Details:

• Patch Name: HF_VA-14.5.1-20260514110607-DE670465.tgz.gpg
• Dependency: This patch is designed to be applied on top of 14.5.1 CHF2.

Steps to apply:

1. Ensure the vApp is updated to the latest Cumulative Hotfix (CHF2 is required for this specific patch).
2. Apply the hotfix HF_VA-14.5.1-20260514110607-DE670465.tgz.gpg to all nodes in the vApp cluster.