The vCenter VAMI service must implement HTTP Strict Transport Security (HSTS).

An XCCDF Rule

Description

<VulnDiscussion>HSTS instructs web browsers to only use secure connections for all future requests when communicating with a website. Doing so helps prevent SSL protocol attacks, SSL stripping, cookie hijacking, and other attempts to circumvent SSL protection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-259157r1003730_rule
Severity: Medium
References: CCI-000366
Updated: 19 days ago

Navigate to and open:

/opt/vmware/etc/lighttpd/applmgmt-lighttpd.conf

If header "Strict-Transport-Security" is not present, add the following line to the end of the file:
setenv.add-response-header += ("Strict-Transport-Security" => "max-age=31536000; includeSubDomains; preload")

If header "Strict-Transport-Security" is present and not set to "Deny", update the value as shown below:

"Strict-Transport-Security" => "max-age=31536000; includeSubDomains; preload",

Note: The last line in the parameter does not need a trailing comma if part of a multi-line configuration.

Restart the service with the following command:

# systemctl restart cap-lighttpd

The vCenter VAMI service must implement HTTP Strict Transport Security (HSTS).

Description

Remediation - Manual Procedure