Skip to main content
rwagner
rwagner
New Member
March 30, 2018
Solved

HTTP Security Header Not Detected in SSL VPN web aplication

  • March 30, 2018
  • 1 reply
  • 18219 views

I have a problem with the SSL VPN application. The application does not contain some security headers. X-XSS-Protection X-Content-Type-Options Strict-Transport-Security I opened the call with the support, but the attendant did not help with anything effective. Just said that there are some fixes in version 5.4.8. So I asked him to send me the result in the "curl -I https: //IP_OF_FOTIOS_5.4.8: PORT_OF_SSL_VPN --insecure" command, as evidenced by this being corrected.

 

 

Note that the headers are not present in the response sent by the support. So no correction was applied for this.

As an example, I put the output of the command executed in google, showing how it should be a safe response.

I would like to know if anyone knows if this is configurable in FORTIOS, and how does it work? I have FG 80C.

Best answer by emnoc

That has came up  b4 in an earlier thread. i believe this is not configurable. What audit  and compliance check is failing you on  this ?

 

ken

 

1 reply

emnoc
emnocAnswer
New Member
March 30, 2018

That has came up  b4 in an earlier thread. i believe this is not configurable. What audit  and compliance check is failing you on  this ?

 

ken

 

rwagner
rwagnerAuthor
New Member
March 31, 2018

We performed Security Scan and Pentest, so this vulnerability was detected. I do not believe that a piece of equipment that is designed to provide security has such a silly failure. There must be something that Fortigate has thought for this failure.

Markus
Markus
New Member
April 3, 2018

Allmost the same with 5.6.3

 

HTTP/1.1 200 OK Date: Tue, 03 Apr 2018 06:14:53 GMT Server: xxxxxxxx-xxxxx Set-Cookie:  SVPNCOOKIE=; path=/; expires=Tue, 03-Apr-2018 06:14:53 GMT; secure; httponly; Set-Cookie: SVPNNETWORKCOOKIE=; path=/remote/network; expires=Tue, 03-Apr-2018 06:14:53 GMT; secure; httponly X-UA-Compatible: requiresActiveX=true X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'self' X-XSS-Protection: 1; mode=block

Terms & ConditionsAccessibility statement