Skip to main content
Solved

Pen test Remediation required - Enable HSTS and Hide Email server type / version

  • February 28, 2024
  • 5 replies
  • 124 views
sameer
Contributor
Forum|alt.badge.img+18

FME Flow 2023.2.1
Build 23774

 

I’m planning on upgrading FME Form / Flow this weekend which includes fixing the following vulnerabilities detected from our internal Pen Test.

 

USR-640 Email Servers Advertise Software Type and Version 

Removing the software banner from the email server is typically done in the configuration file, for example sendmail.cf or postfix.conf.

Is it possible to fix this and where would the file(s) be located?

What change should take place?

 

USR-622 HSTS Missing from HTTPS Server

Is it simply enough to add the following to the web.xml config file?

 

<!-- Enable HSTS   -->
<filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <init-param>
        <param-name>hstsEnabled</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>hstsMaxAgeSeconds</param-name>
        <param-value>31536000</param-value>
    </init-param>
    <init-param>
        <param-name>hstsIncludeSubDomains</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>hstsPreload</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>antiClickJackingOption</param-name>
        <param-value>ALLOW-FROM</param-value>
    </init-param>
    <init-param>
        <param-name>antiClickJackingUri</param-name>
        <param-value>https://OUR_PRIMARY_DOMAIN.HERE</param-value>
    </init-param>
    <async-supported>true</async-supported>
</filter>

<!-- Enable HSTS Filter  -->
<filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>

 

I’m able to check if HSTS is enabled using my own PowerShell script thereafter as I did for my other servers. 

Best answer by sameer

Closing this case

This post is closed to further activity.
It may be an old question, an answered question, an implemented idea, or a notification-only post.
Please check post dates before relying on any information in a question or answer.
For follow-up or related questions, please post a new question or idea.
If there is a genuine update to be made, please contact us and request that the post is reopened.

5 replies

hkingsbury
Celebrity
Forum|alt.badge.img+63
  • hkingsburyCelebrity
  • Celebrity
  • 1632 replies
  • February 28, 2024

It’s probably a good idea to reach out to your local reseller/Safe to get some guidance on this in case there are any flow on effects of making these changes

sameer
Contributor
Forum|alt.badge.img+18
  • sameerContributor
  • Author
  • Contributor
  • 63 replies
  • February 29, 2024

It’s probably a good idea to reach out to your local reseller/Safe to get some guidance on this in case there are any flow on effects of making these changes

I don’t think there will be a knock on effect. HSTS should be fine and hiding software versions, creating custom error pages are common (Tomcat or any other web servers). I have custom error pages setup already on other Tomcat servers. That’s part of security hardening.

It’s is more about what works for FME Server.

I could have reached our reseller but it will most likely end up with Safe in any case. I might do that as well.

sameer
Contributor
Forum|alt.badge.img+18
  • sameerContributor
  • Author
  • Contributor
  • 63 replies
  • February 29, 2024

HSTS has now been enabled.

 

sameer
Contributor
Forum|alt.badge.img+18
  • sameerContributor
  • Author
  • Contributor
  • 63 replies
  • Best Answer
  • March 1, 2024

Closing this case

steveatsafe
Safer
Forum|alt.badge.img+13
  • steveatsafeSafer
  • Safer
  • 422 replies
  • October 3, 2024

To close the loop I’m adding a link to the Sameer’s configuration and an article.
 


Thanks.

SteveatSafe

Community Stats

32,100
Posts
121,895
Replies
39,745
Members

Latest FME

Terms & ConditionsCookie settingsAccessibility statement
A product of
Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.