We have been contacted by our security team regarding a Qualys scan that has detected the following Issue on our AdminStudio 2020 R2 server. Has anyone else come across this and is there a solution?
: HTTP Security Header Not Detected:
Details from event:
: To better debug the results of this QID, it is requested that customers execute commands to simulate the following functionality: curl -lkL --verbose.
CWE-693: Protection Mechanism Failure mentions the following - The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. A "missing" protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An "insufficient" protection mechanism might provide some defenses - for example, against the most common attacks - but it does not protect against everything that is intended. Finally, an "ignored" mechanism occurs when a mechanism is available and in active use within the product, but the developer has not applied it in some code path.
Customers are advised to set proper X-Content-Type-Options and Strict-Transport-Security HTTP response headers.
Depending on their server software, customers can set directives in their site configuration or Web.config files. Few examples are:
Apache: Header always set X-Content-Type-Options: nosniff
Apache: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Nginx: add_header Strict-Transport-Security max-age=31536000;
Note: Network devices that include a HTTP/HTTPS console for administrative/management purposes often do not include all/some of the security headers. This is a known issue and it is recommend to contact the vendor for a solution.
Sep 28, 2022 01:14 AM
Is this issue reported for AdminStudio or AdminStudio Enterprise Server (AES)?
Oct 11, 2022 06:13 AM