Solved

Pen test Remediation required - Enable HSTS and Hide Email server type / version

  • 28 February 2024
  • 4 replies
  • 76 views

Userlevel 1
Badge +11

FME Flow 2023.2.1
Build 23774

 

I’m planning on upgrading FME Form / Flow this weekend which includes fixing the following vulnerabilities detected from our internal Pen Test.

 

USR-640 Email Servers Advertise Software Type and Version 

Removing the software banner from the email server is typically done in the configuration file, for example sendmail.cf or postfix.conf.

Is it possible to fix this and where would the file(s) be located?

What change should take place?

 

USR-622 HSTS Missing from HTTPS Server

Is it simply enough to add the following to the web.xml config file?

 

<!-- Enable HSTS   -->
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsPreload</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>ALLOW-FROM</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingUri</param-name>
<param-value>https://OUR_PRIMARY_DOMAIN.HERE</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>

<!-- Enable HSTS Filter -->
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>

 

I’m able to check if HSTS is enabled using my own PowerShell script thereafter as I did for my other servers. 

icon

Best answer by sameer 1 March 2024, 11:32

View original

4 replies

Userlevel 6
Badge +33

It’s probably a good idea to reach out to your local reseller/Safe to get some guidance on this in case there are any flow on effects of making these changes

Userlevel 1
Badge +11

It’s probably a good idea to reach out to your local reseller/Safe to get some guidance on this in case there are any flow on effects of making these changes

I don’t think there will be a knock on effect. HSTS should be fine and hiding software versions, creating custom error pages are common (Tomcat or any other web servers). I have custom error pages setup already on other Tomcat servers. That’s part of security hardening.

It’s is more about what works for FME Server.

I could have reached our reseller but it will most likely end up with Safe in any case. I might do that as well.

Userlevel 1
Badge +11

HSTS has now been enabled.

 

Userlevel 1
Badge +11

Closing this case

Reply