- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HTTP Security Header Not Detected in SSL VPN web aplication
I have a problem with the SSL VPN application. The application does not contain some security headers. X-XSS-Protection X-Content-Type-Options Strict-Transport-Security I opened the call with the support, but the attendant did not help with anything effective. Just said that there are some fixes in version 5.4.8. So I asked him to send me the result in the "curl -I https: //IP_OF_FOTIOS_5.4.8: PORT_OF_SSL_VPN --insecure" command, as evidenced by this being corrected.
Note that the headers are not present in the response sent by the support. So no correction was applied for this.
As an example, I put the output of the command executed in google, showing how it should be a safe response.
I would like to know if anyone knows if this is configurable in FORTIOS, and how does it work? I have FG 80C.
Solved! Go to Solution.
- Labels:
-
5.4
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That has came up b4 in an earlier thread. i believe this is not configurable. What audit and compliance check is failing you on this ?
ken
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That has came up b4 in an earlier thread. i believe this is not configurable. What audit and compliance check is failing you on this ?
ken
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We performed Security Scan and Pentest, so this vulnerability was detected. I do not believe that a piece of equipment that is designed to provide security has such a silly failure. There must be something that Fortigate has thought for this failure.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Allmost the same with 5.6.3
HTTP/1.1 200 OK Date: Tue, 03 Apr 2018 06:14:53 GMT Server: xxxxxxxx-xxxxx Set-Cookie: SVPNCOOKIE=; path=/; expires=Tue, 03-Apr-2018 06:14:53 GMT; secure; httponly; Set-Cookie: SVPNNETWORKCOOKIE=; path=/remote/network; expires=Tue, 03-Apr-2018 06:14:53 GMT; secure; httponly X-UA-Compatible: requiresActiveX=true X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'self' X-XSS-Protection: 1; mode=block
________________________________________________________
--- NSE 4 ---
________________________________________________________