Skip to main content
Solved

Pen test Remediation required - Enable HSTS and Hide Email server type / version

sameer
Contributor
Forum|alt.badge.img+16

FME Flow 2023.2.1
Build 23774

 

I’m planning on upgrading FME Form / Flow this weekend which includes fixing the following vulnerabilities detected from our internal Pen Test.

 

USR-640 Email Servers Advertise Software Type and Version 

Removing the software banner from the email server is typically done in the configuration file, for example sendmail.cf or postfix.conf.

Is it possible to fix this and where would the file(s) be located?

What change should take place?

 

USR-622 HSTS Missing from HTTPS Server

Is it simply enough to add the following to the web.xml config file?

 

<!-- Enable HSTS   -->
<filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <init-param>
        <param-name>hstsEnabled</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>hstsMaxAgeSeconds</param-name>
        <param-value>31536000</param-value>
    </init-param>
    <init-param>
        <param-name>hstsIncludeSubDomains</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>hstsPreload</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>antiClickJackingOption</param-name>
        <param-value>ALLOW-FROM</param-value>
    </init-param>
    <init-param>
        <param-name>antiClickJackingUri</param-name>
        <param-value>https://OUR_PRIMARY_DOMAIN.HERE</param-value>
    </init-param>
    <async-supported>true</async-supported>
</filter>

<!-- Enable HSTS Filter  -->
<filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>

 

I’m able to check if HSTS is enabled using my own PowerShell script thereafter as I did for my other servers. 

Best answer by sameer

Closing this case

View original
Did this help you find an answer to your question?

5 replies

hkingsbury
Celebrity
Forum|alt.badge.img+53
  • hkingsburyCelebrity
  • Celebrity
  • February 28, 2024

It’s probably a good idea to reach out to your local reseller/Safe to get some guidance on this in case there are any flow on effects of making these changes

sameer
Contributor
Forum|alt.badge.img+16
  • sameerContributor
  • Author
  • Contributor
  • February 29, 2024
hkingsbury wrote:

It’s probably a good idea to reach out to your local reseller/Safe to get some guidance on this in case there are any flow on effects of making these changes

I don’t think there will be a knock on effect. HSTS should be fine and hiding software versions, creating custom error pages are common (Tomcat or any other web servers). I have custom error pages setup already on other Tomcat servers. That’s part of security hardening.

It’s is more about what works for FME Server.

I could have reached our reseller but it will most likely end up with Safe in any case. I might do that as well.

sameer
Contributor
Forum|alt.badge.img+16
  • sameerContributor
  • Author
  • Contributor
  • February 29, 2024

HSTS has now been enabled.

 

sameer
Contributor
Forum|alt.badge.img+16
  • sameerContributor
  • Author
  • Contributor
  • Best Answer
  • March 1, 2024

Closing this case

steveatsafe
1 person upvoted this
  • steveatsafe
    steveatsafe
steveatsafe
Safer
Forum|alt.badge.img+12
  • steveatsafeSafer
  • Safer
  • October 3, 2024

To close the loop I’m adding a link to the Sameer’s configuration and an article.
 


Thanks.

SteveatSafe

Reply


Helpful Members This Week

Community Stats

31,092
Posts
117,888
Replies
38,851
Members

Latest FME

Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings
A product of
Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.