Jump to content

Recommended Posts

Posted (edited)

So, I'm trying to get my Sophos Protect installation to pass PCI Compliance.
The last thing I have to correct is the HTTP Security Headers.

I'm using the Apache HTTP Proxy that is included with the All-in-One Installer.
Everything is installed on the same server (Windows 2016 Standard).

When I hit the root of the web server (the IP or DNS name) I do not see any of the required security headers:
Strict-Transport-Security
X-Content-Type-Options
X-XSS-Protection

However, when I'm redirected to the webconsole (dnsname/era/webconsole) those required security headers exist.

I'm assuming that the configuration of the Apache HTTP Proxy needs updating.  As I previously followed this KB to enable HSTS in the webconsole.  https://support.eset.com/en/kb6746-enable-http-strict-transport-security-on-the-web-console-in-esmc-7x

I've tried adding the following to the following configuration files and restarting the ApacheHttpProxy service, but it hasn't fixed it.
\program files\apache http proxy 2.4.48\conf\http.conf
\program files\apache http proxy 2.4.48\conf\extra\httpd-ssl.conf

    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    Header set X-XSS-Protection "1; mode=block"


On my Firewall: I have a NAT rule that is forwarding all https traffic intended to this public IP to my server.

 

Edited by Derek Lechner
  • ESET Staff
Posted

Not sure I understood correctly, but in case there is a problem with configuration of WebConsole (= i.e. issue with headers), you will have to check and possibly adapt configuration of "Apache Tomcat" and not "Apache HTTP Proxy". As you mentioned, our application most probably uses correct configuration, but root page is most probably using default configuration of Apache Tomcat, which might explain why such headers are missing.

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...