Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rwagner
New Contributor

HTTP Security Header Not Detected in SSL VPN web aplication

I have a problem with the SSL VPN application. The application does not contain some security headers. X-XSS-Protection X-Content-Type-Options Strict-Transport-Security I opened the call with the support, but the attendant did not help with anything effective. Just said that there are some fixes in version 5.4.8. So I asked him to send me the result in the "curl -I https: //IP_OF_FOTIOS_5.4.8: PORT_OF_SSL_VPN --insecure" command, as evidenced by this being corrected.

 

 

Note that the headers are not present in the response sent by the support. So no correction was applied for this.

As an example, I put the output of the command executed in google, showing how it should be a safe response.

I would like to know if anyone knows if this is configurable in FORTIOS, and how does it work? I have FG 80C.

1 Solution
emnoc
Esteemed Contributor III

That has came up  b4 in an earlier thread. i believe this is not configurable. What audit  and compliance check is failing you on  this ?

 

ken

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

3 REPLIES 3
emnoc
Esteemed Contributor III

That has came up  b4 in an earlier thread. i believe this is not configurable. What audit  and compliance check is failing you on  this ?

 

ken

 

PCNSE 

NSE 

StrongSwan  

rwagner
New Contributor

We performed Security Scan and Pentest, so this vulnerability was detected. I do not believe that a piece of equipment that is designed to provide security has such a silly failure. There must be something that Fortigate has thought for this failure.

Markus
Valued Contributor

Allmost the same with 5.6.3

 

HTTP/1.1 200 OK Date: Tue, 03 Apr 2018 06:14:53 GMT Server: xxxxxxxx-xxxxx Set-Cookie:  SVPNCOOKIE=; path=/; expires=Tue, 03-Apr-2018 06:14:53 GMT; secure; httponly; Set-Cookie: SVPNNETWORKCOOKIE=; path=/remote/network; expires=Tue, 03-Apr-2018 06:14:53 GMT; secure; httponly X-UA-Compatible: requiresActiveX=true X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'self' X-XSS-Protection: 1; mode=block


________________________________________________________
--- NSE 4 ---
________________________________________________________