Reply to Message

View discussion in a popup

Replying to:
jpearson_ngds
Contributor
Contributor

I opened a support case and here was the response I received.
Regarding the vCenter HSTS errors

For VAMI interface, currently we have workaround for this errors, see below our internal KB:

=================================================================================================
Adding Strict Transport Security (HSTS) Headers to the vCenter Server Appliance Management Interface (VAMI)
 
 Symptoms
Customers may receive reports from a security scan that the vCenter Server Appliance Management Interface lacks the Strict Transport Security (HSTS) headers.
 Cause
The lighttp daemon does not include these headers by default.
 Resolution
You can modify the /etc/applmgmt/appliance/lighttpd.conf file to include this header.
 
Replace the lines:
 
setenv.add-response-header = ( "X-UA-Compatible" => "IE=edge",
                               "X-Frame-Options" => "Deny" )
 
With the following:
 
setenv.add-response-header = ( "X-UA-Compatible" => "IE=edge",
                               "X-Frame-Options" => "Deny",
                               "Strict-Transport-Security" => "max-age=31536000; includeSubdomains" )
 
Restart the lighttp daemon:
 
systemctl restart vami-lighttp
============================================================================ 

For the Web Client, HSTS added fix is currently  available only for VCSA 7.0 and not for VCSA 6.7. 

We still have few bug reports open for VCSA 6.7 and currently we are still waiting on our engeenering team to come back with patch.