“HSTS Missing From HTTPS Server” TCP/IP issue

This post was originally published on this site

Hello,

 

My Nessus scanner returned me 3 new vulnerabilities for my vCenter 6.7 (Windows version) =>

 

9443/tcpHSTS Missing From HTTPS Server

Description: The remote HTTPS server does not send the HTTP “Strict-Transport-Security” header.

7444/tcpHSTS Missing From HTTPS Server

Description: The remote HTTPS server does not send the HTTP “Strict-Transport-Security” header.

5443/tcpHSTS Missing From HTTPS Server

Description: The remote HTTPS server does not send the HTTP “Strict-Transport-Security” header.

 

I’m looking for a way to fix that.

i didn’t find any information into the Vmware KB.

 

Port 9443 =>  vSphere Web client HTTPS

Port 7444 => vCenter Single-Signe On

Port 5443 => vCenter Server graphical user interface internal

 

I already tried to modify the Web.xml (C:ProgramDataVMwarevCenterServerruntimevsphere-clientserverconfigurationconf) where i have found a section related to enable HSTS but after these changes my vCenter Web client (Flash) didn’t start at all.

I have added in the “Filter definitions” section =>

    <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
            <param-name>hstsEnabled</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>hstsMaxAgeSeconds</param-name>
            <param-value>30758400</param-value>
        </init-param>
        <init-param>
            <param-name>hstsIncludeSubDomains</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>antiClickJackingEnabled</param-name>
            <param-value>false</param-value>
        </init-param>
        <init-param>
            <param-name>blockContentTypeSniffingEnabled</param-name>
            <param-value>false</param-value>
        </init-param>
    </filter>

 

And in the “Filter Mappings” section =>

    <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <url-pattern>*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

 

In my company, all TCP issues have to be fixed or justified if not possible … not always easy.

 

Do you have an idea ???

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.