The vCenter VAMI service must implement HTTP Strict Transport Security (HSTS).

An XCCDF Rule

Description

<VulnDiscussion>HSTS instructs web browsers to only use secure connections for all future requests when communicating with a website. Doing so helps prevent SSL protocol attacks, SSL stripping, cookie hijacking, and other attempts to circumvent SSL protection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-259157r935375_rule
Severity: Medium
References: CCI-000366
Updated: 17 days ago

Navigate to and open:

/etc/applmgmt/appliance/lighttpd.conf

Locate the "setenv.add-response-header" parameter and add or update the following value:
"Strict-Transport-Security" => "max-age=31536000; includeSubDomains; preload",

Note: The last line in the parameter does not need a trailing comma.

Restart the service with the following command:

# vmon-cli --restart applmgmt

The vCenter VAMI service must implement HTTP Strict Transport Security (HSTS).

Description

Remediation - Manual Procedure