- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I opened a support case and here was the response I received.
Regarding the vCenter HSTS errors
For VAMI interface, currently we have workaround for this errors, see below our internal KB:
=================================================================================================
Adding Strict Transport Security (HSTS) Headers to the vCenter Server Appliance Management Interface (VAMI)
Symptoms
Customers may receive reports from a security scan that the vCenter Server Appliance Management Interface lacks the Strict Transport Security (HSTS) headers.
Cause
The lighttp daemon does not include these headers by default.
Resolution
You can modify the /etc/applmgmt/appliance/lighttpd.conf file to include this header.
Replace the lines:
setenv.add-response-header = ( "X-UA-Compatible" => "IE=edge",
"X-Frame-Options" => "Deny" )
With the following:
setenv.add-response-header = ( "X-UA-Compatible" => "IE=edge",
"X-Frame-Options" => "Deny",
"Strict-Transport-Security" => "max-age=31536000; includeSubdomains" )
Restart the lighttp daemon:
systemctl restart vami-lighttp
============================================================================
For the Web Client, HSTS added fix is currently available only for VCSA 7.0 and not for VCSA 6.7.
We still have few bug reports open for VCSA 6.7 and currently we are still waiting on our engeenering team to come back with patch.