• EN
Solved

Pen test Remediation required - Enable HSTS and Hide Email server type / version

  • 28 February 2024
  • 4 replies
  • 54 views
sameer
Rank
Badge +10

FME Flow 2023.2.1
Build 23774

 

I’m planning on upgrading FME Form / Flow this weekend which includes fixing the following vulnerabilities detected from our internal Pen Test.

 

USR-640 Email Servers Advertise Software Type and Version 

Removing the software banner from the email server is typically done in the configuration file, for example sendmail.cf or postfix.conf.

Is it possible to fix this and where would the file(s) be located?

What change should take place?

 

USR-622 HSTS Missing from HTTPS Server

Is it simply enough to add the following to the web.xml config file?

 

<!-- Enable HSTS   -->
<filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <init-param>
        <param-name>hstsEnabled</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>hstsMaxAgeSeconds</param-name>
        <param-value>31536000</param-value>
    </init-param>
    <init-param>
        <param-name>hstsIncludeSubDomains</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>hstsPreload</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>antiClickJackingOption</param-name>
        <param-value>ALLOW-FROM</param-value>
    </init-param>
    <init-param>
        <param-name>antiClickJackingUri</param-name>
        <param-value>https://OUR_PRIMARY_DOMAIN.HERE</param-value>
    </init-param>
    <async-supported>true</async-supported>
</filter>

<!-- Enable HSTS Filter  -->
<filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>

 

I’m able to check if HSTS is enabled using my own PowerShell script thereafter as I did for my other servers. 

icon

Best answer by sameer 1 March 2024, 11:32

View original

4 replies

hkingsbury
Rank
Userlevel 5
Badge +29

It’s probably a good idea to reach out to your local reseller/Safe to get some guidance on this in case there are any flow on effects of making these changes

Check out the Abley FME Firesides on Youtube: https://www.youtube.com/@ableyltd
sameer
Rank
Badge +10

It’s probably a good idea to reach out to your local reseller/Safe to get some guidance on this in case there are any flow on effects of making these changes

I don’t think there will be a knock on effect. HSTS should be fine and hiding software versions, creating custom error pages are common (Tomcat or any other web servers). I have custom error pages setup already on other Tomcat servers. That’s part of security hardening.

It’s is more about what works for FME Server.

I could have reached our reseller but it will most likely end up with Safe in any case. I might do that as well.

sameer
Rank
Badge +10

HSTS has now been enabled.

 

sameer
Rank
Badge +10

Closing this case

Reply


Community Stats

28,790
Posts
109,753
Replies
36,612
Members
Terms & ConditionsCookie settings
A product of
Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.