A vulnerability was found in F5 BIG-IP APM.
HTTP Security Header Not Detected
CVE Number is required to contact the vendor.
Please tell me if there is any information.
Thanks for reading.
Referring to Q11827 HTTP Security Header Not Detected, the remediation will need to take place on the asset [behind the F5] that is being identified in the results of the finding.
X-Frame-Options or Content-Security-Policy: frame-ancestors HTTP Headers missing on port 443.GET / HTTP/1.1Host: xxxxx.xxxxx.comConnection: Keep-Alive
X-XSS-Protection HTTP Header missing on port 443.X-Content-Type-Options HTTP Header missing on port 443.Content-Security-Policy HTTP Header missing on port 443.Strict-Transport-Security HTTP Header missing on port 443.
In my scan, the information gathered tells me this is an Apache web server:
As a security team member, I would contact the web server application owner, and request the implement the Apache header updates for the site reporting the issue [as I have highlighted below]...
CWE-693: Protection Mechanism Failure mentions the following - The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. A "missing" protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An "insufficient" protection mechanism might provide some defenses - for example, against the most common attacks - but it does not protect against everything that is intended. Finally, an "ignored" mechanism occurs when a mechanism is available and in active use within the product, but the developer has not applied it in some code path.
Customers are advised to set proper X-Frame-Options, X-XSS-Protection, Content Security Policy, X-Content-Type-Options and Strict-Transport-Security HTTP response headers.
Depending on their server software, customers can set directives in their site configuration or Web.config files. Few examples are:
X-Frame-Options:Apache: Header always append X-Frame-Options SAMEORIGINnginx: add_header X-Frame-Options SAMEORIGIN;HAProxy: rspadd X-Frame-Options:\ SAMEORIGINIIS: <HTTPPROTOCOL><CUSTOMHEADERS><ADD NAME="X-Frame-Options" VALUE="SAMEORIGIN"></ADD></CUSTOMHEADERS></HTTPPROTOCOL>
X-XSS-Protection:Apache: Header always set X-XSS-Protection "1; mode=block" PHP: header("X-XSS-Protection: 1; mode=block");
X-Content-Type-Options:Apache: Header always set X-Content-Type-Options: nosniff
Content-Security-Policy: (Please note that these values may differ from website to website. The values below are for informational purposes only. The scanner simply looks for the presence of the security header.)Apache: Header set Content-Security-Policy "script-src 'self'; object-src 'self'"IIS: <SYSTEM.WEBSERVER><HTTPPROTOCOL><CUSTOMHEADERS><ADD NAME="Content-Security-Policy" VALUE="default-src 'self';"></ADD></CUSTOMHEADERS></HTTPPROTOCOL></SYSTEM.WEBSERVER>nginx: add_header Content-Security-Policy "default-src 'self'; script-src 'self';
HTTP Strict-Transport-Security:Apache: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"Nginx: add_header Strict-Transport-Security max-age=31536000;
If you still have questions, I would ask that you cleanse the results of your scan as I did above, and post the information here for additional help.
You may want to read this post as well: HTTP Security Header Not Detected
can you post the exact text as this sound like your missing an optional header in the Web Application. If that is indeed the case then you can modify the configuration on the backed or as I am told the F5 can inject the headers for all web requests.
wondering if anyone can post a solution on this,,,,
can you give the details of what header was missing. I don't have access to the documentation so if you have support with F5 you might contact them about the issue.
Retrieving data ...