Derek Lechner 0 Posted November 17, 2021 Posted November 17, 2021 (edited) So, I'm trying to get my Sophos Protect installation to pass PCI Compliance. The last thing I have to correct is the HTTP Security Headers. I'm using the Apache HTTP Proxy that is included with the All-in-One Installer. Everything is installed on the same server (Windows 2016 Standard). When I hit the root of the web server (the IP or DNS name) I do not see any of the required security headers: Strict-Transport-Security X-Content-Type-Options X-XSS-Protection However, when I'm redirected to the webconsole (dnsname/era/webconsole) those required security headers exist. I'm assuming that the configuration of the Apache HTTP Proxy needs updating. As I previously followed this KB to enable HSTS in the webconsole. https://support.eset.com/en/kb6746-enable-http-strict-transport-security-on-the-web-console-in-esmc-7x I've tried adding the following to the following configuration files and restarting the ApacheHttpProxy service, but it hasn't fixed it. \program files\apache http proxy 2.4.48\conf\http.conf \program files\apache http proxy 2.4.48\conf\extra\httpd-ssl.conf Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" Header set X-XSS-Protection "1; mode=block" On my Firewall: I have a NAT rule that is forwarding all https traffic intended to this public IP to my server. Edited November 17, 2021 by Derek Lechner
ESET Staff MartinK 384 Posted November 18, 2021 ESET Staff Posted November 18, 2021 Not sure I understood correctly, but in case there is a problem with configuration of WebConsole (= i.e. issue with headers), you will have to check and possibly adapt configuration of "Apache Tomcat" and not "Apache HTTP Proxy". As you mentioned, our application most probably uses correct configuration, but root page is most probably using default configuration of Apache Tomcat, which might explain why such headers are missing.
Recommended Posts