Highlighted
Contributor
Contributor

"HSTS Missing From HTTPS Server" TCP/IP issue

Hello,

My Nessus scanner returned me 3 new vulnerabilities for my vCenter 6.7 (Windows version) =>

9443/tcp - HSTS Missing From HTTPS Server

Description: The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.

7444/tcp - HSTS Missing From HTTPS Server

Description: The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.

5443/tcp - HSTS Missing From HTTPS Server

Description: The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.

I'm looking for a way to fix that.

i didn't find any information into the Vmware KB.

Port 9443 =>  vSphere Web client HTTPS

Port 7444 => vCenter Single-Signe On

Port 5443 => vCenter Server graphical user interface internal

I already tried to modify the Web.xml (C:\ProgramData\VMware\vCenterServer\runtime\vsphere-client\server\configuration\conf) where i have found a section related to enable HSTS but after these changes my vCenter Web client (Flash) didn't start at all.

I have added in the "Filter definitions" section =>

    <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
            <param-name>hstsEnabled</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>hstsMaxAgeSeconds</param-name>
            <param-value>30758400</param-value>
        </init-param>
        <init-param>
            <param-name>hstsIncludeSubDomains</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>antiClickJackingEnabled</param-name>
            <param-value>false</param-value>
        </init-param>
        <init-param>
            <param-name>blockContentTypeSniffingEnabled</param-name>
            <param-value>false</param-value>
        </init-param>
    </filter>

And in the "Filter Mappings" section =>

    <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <url-pattern>*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

In my company, all TCP issues have to be fixed or justified if not possible ... not always easy.

Do you have an idea ???

0 Kudos
3 Replies
Highlighted
Contributor
Contributor

Did you ever figure out how to resolve this? I am having the same issue with it showing up on my Nessus scans.

Highlighted
Contributor
Contributor

also having this issue.

0 Kudos
Highlighted
Contributor
Contributor

I am also having this issue and unable to find any documentation or information.

0 Kudos