2 Replies Latest reply on May 21, 2018 1:43 AM by bashmore

    Response headers in VCSA 6.5

    bashmore Novice

      Does anyone know how to set the response headers on the VMWare VCenter Server Appliance?

      Looking to mitigate the vulnerabilities by being able to set the following on the appliance

       

      "Strict-Transport-Security"

      "X-Frame-Options" => "SAMEORIGIN",

      "X-Content-Type-Options" => "nosniff"

        • 1. Re: Response headers in VCSA 6.5
          peetz Master
          User ModeratorsvExpert

          Greetings,

           

          are you referring to a specific vulnerability, a VMware Security Advisory, CVE or alike?

           

          I looked at the HTTP headers that the vCSA 6.5 sends (with Chrome debug console), and noticed that the headers you mentioned are already sent from the Flash based Web Client (/vsphere-client), but not consistently from the HTML5 client (/ui).

           

          You can for sure tinker with these settings by editing the web.xml config files of the different Tomcat instances, but this is certainly unsupported by VMware and can cause unwanted side effects like Web Client plugins no longer working as expected.

           

          - Andreas

          • 2. Re: Response headers in VCSA 6.5
            bashmore Novice

            Hi Andreas

             

            The report is showing the main web client for the VCSA on port 443 (before choosing the client to use) is showing as not having the headers set.  I have tested both the Flash Web Client and the HTML5 client and both are showing none of the response headers on our system.

             

            I will contact VMware themselves and see what they say- will post a reply if I get anything from them.

             

            - Barrie