cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HTTP Security Header Not Detected

We have been contacted by our security team regarding a Qualys scan that has detected the following Issue on our AdminStudio 2020 R2 server. Has anyone else come across this and is there a solution?

: HTTP Security Header Not Detected:

-------------------------------------

Details from event:

: To better debug the results of this QID, it is requested that customers execute commands to simulate the following functionality: curl -lkL --verbose.

CWE-693: Protection Mechanism Failure mentions the following - The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. A "missing" protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An "insufficient" protection mechanism might provide some defenses - for example, against the most common attacks - but it does not protect against everything that is intended. Finally, an "ignored" mechanism occurs when a mechanism is available and in active use within the product, but the developer has not applied it in some code path.

Customers are advised to set proper X-Content-Type-Options and Strict-Transport-Security HTTP response headers.

Depending on their server software, customers can set directives in their site configuration or Web.config files. Few examples are:

X-Content-Type-Options:
Apache: Header always set X-Content-Type-Options: nosniff

HTTP Strict-Transport-Security:
Apache: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Nginx: add_header Strict-Transport-Security max-age=31536000;

Note: Network devices that include a HTTP/HTTPS console for administrative/management purposes often do not include all/some of the security headers. This is a known issue and it is recommend to contact the vendor for a solution.

(1) Reply

Is this issue reported for AdminStudio or AdminStudio Enterprise Server (AES)?