So, I'm trying to get my Sophos Protect installation to pass PCI Compliance.
The last thing I have to correct is the HTTP Security Headers.
I'm using the Apache HTTP Proxy that is included with the All-in-One Installer.
Everything is installed on the same server (Windows 2016 Standard).
When I hit the root of the web server (the IP or DNS name) I do not see any of the required security headers:
Strict-Transport-Security
X-Content-Type-Options
X-XSS-Protection
However, when I'm redirected to the webconsole (dnsname/era/webconsole) those required security headers exist.
I'm assuming that the configuration of the Apache HTTP Proxy needs updating. As I previously followed this KB to enable HSTS in the webconsole. https://support.eset.com/en/kb6746-enable-http-strict-transport-security-on-the-web-console-in-esmc-7x
I've tried adding the following to the following configuration files and restarting the ApacheHttpProxy service, but it hasn't fixed it.
\program files\apache http proxy 2.4.48\conf\http.conf
\program files\apache http proxy 2.4.48\conf\extra\httpd-ssl.conf
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header set X-XSS-Protection "1; mode=block"
On my Firewall: I have a NAT rule that is forwarding all https traffic intended to this public IP to my server.