Jump to content

ESET Protect - PCI Compliance - Apache HTTP Proxy


Recommended Posts

So, I'm trying to get my Sophos Protect installation to pass PCI Compliance.
The last thing I have to correct is the HTTP Security Headers.

I'm using the Apache HTTP Proxy that is included with the All-in-One Installer.
Everything is installed on the same server (Windows 2016 Standard).

When I hit the root of the web server (the IP or DNS name) I do not see any of the required security headers:
Strict-Transport-Security
X-Content-Type-Options
X-XSS-Protection

However, when I'm redirected to the webconsole (dnsname/era/webconsole) those required security headers exist.

I'm assuming that the configuration of the Apache HTTP Proxy needs updating.  As I previously followed this KB to enable HSTS in the webconsole.  https://support.eset.com/en/kb6746-enable-http-strict-transport-security-on-the-web-console-in-esmc-7x

I've tried adding the following to the following configuration files and restarting the ApacheHttpProxy service, but it hasn't fixed it.
\program files\apache http proxy 2.4.48\conf\http.conf
\program files\apache http proxy 2.4.48\conf\extra\httpd-ssl.conf

    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    Header set X-XSS-Protection "1; mode=block"


On my Firewall: I have a NAT rule that is forwarding all https traffic intended to this public IP to my server.

 

Edited by Derek Lechner
Link to comment
Share on other sites

  • ESET Staff

Not sure I understood correctly, but in case there is a problem with configuration of WebConsole (= i.e. issue with headers), you will have to check and possibly adapt configuration of "Apache Tomcat" and not "Apache HTTP Proxy". As you mentioned, our application most probably uses correct configuration, but root page is most probably using default configuration of Apache Tomcat, which might explain why such headers are missing.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...