Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rwagner
New Contributor

Created on ‎03-30-2018 07:41 AM

HTTP Security Header Not Detected in SSL VPN web aplication

I have a problem with the SSL VPN application. The application does not contain some security headers. X-XSS-Protection X-Content-Type-Options Strict-Transport-Security I opened the call with the support, but the attendant did not help with anything effective. Just said that there are some fixes in version 5.4.8. So I asked him to send me the result in the "curl -I https: //IP_OF_FOTIOS_5.4.8: PORT_OF_SSL_VPN --insecure" command, as evidenced by this being corrected.

 

 

Note that the headers are not present in the response sent by the support. So no correction was applied for this.

As an example, I put the output of the command executed in google, showing how it should be a safe response.

I would like to know if anyone knows if this is configurable in FORTIOS, and how does it work? I have FG 80C.

Preview file
99 KB
Labels:
15968
0 Kudos
1 Solution
emnoc
Esteemed Contributor III

Created on ‎03-30-2018 09:07 AM

That has came up  b4 in an earlier thread. i believe this is not configurable. What audit  and compliance check is failing you on  this ?

 

ken

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
4329
0 Kudos
3 REPLIES 3
emnoc
Esteemed Contributor III

Created on ‎03-30-2018 09:07 AM

That has came up  b4 in an earlier thread. i believe this is not configurable. What audit  and compliance check is failing you on  this ?

 

ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
4330
0 Kudos
rwagner
New Contributor
In response to emnoc

Created on ‎03-31-2018 05:48 AM

We performed Security Scan and Pentest, so this vulnerability was detected. I do not believe that a piece of equipment that is designed to provide security has such a silly failure. There must be something that Fortigate has thought for this failure.

4250
0 Kudos
Markus
Valued Contributor
In response to rwagner

Created on ‎04-02-2018 11:17 PM

Allmost the same with 5.6.3

 

HTTP/1.1 200 OK Date: Tue, 03 Apr 2018 06:14:53 GMT Server: xxxxxxxx-xxxxx Set-Cookie:  SVPNCOOKIE=; path=/; expires=Tue, 03-Apr-2018 06:14:53 GMT; secure; httponly; Set-Cookie: SVPNNETWORKCOOKIE=; path=/remote/network; expires=Tue, 03-Apr-2018 06:14:53 GMT; secure; httponly X-UA-Compatible: requiresActiveX=true X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'self' X-XSS-Protection: 1; mode=block


________________________________________________________
--- NSE 4 ---
________________________________________________________

________________________________________________________--- NSE 4 ---________________________________________________________
4250
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.