VMware Cloud Community
bashmore
Enthusiast
Enthusiast

Response headers in VCSA 6.5

Does anyone know how to set the response headers on the VMWare VCenter Server Appliance?

Looking to mitigate the vulnerabilities by being able to set the following on the appliance

"Strict-Transport-Security"

"X-Frame-Options" => "SAMEORIGIN",

"X-Content-Type-Options" => "nosniff"

Reply
0 Kudos
2 Replies
peetz
Leadership
Leadership

Greetings,

are you referring to a specific vulnerability, a VMware Security Advisory, CVE or alike?

I looked at the HTTP headers that the vCSA 6.5 sends (with Chrome debug console), and noticed that the headers you mentioned are already sent from the Flash based Web Client (/vsphere-client), but not consistently from the HTML5 client (/ui).

You can for sure tinker with these settings by editing the web.xml config files of the different Tomcat instances, but this is certainly unsupported by VMware and can cause unwanted side effects like Web Client plugins no longer working as expected.

- Andreas

Twitter: @VFrontDe, @ESXiPatches | https://esxi-patches.v-front.de | https://vibsdepot.v-front.de
Reply
0 Kudos
bashmore
Enthusiast
Enthusiast

Hi Andreas

The report is showing the main web client for the VCSA on port 443 (before choosing the client to use) is showing as not having the headers set.  I have tested both the Flash Web Client and the HTML5 client and both are showing none of the response headers on our system.

I will contact VMware themselves and see what they say- will post a reply if I get anything from them.

- Barrie

Reply
0 Kudos