Q: Information security scan has a couple of issues preventing us from full implementation.
Missing or insecure "Content-Security-Policy" header
Low
It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations
It is possible to persuade a naive user to supply sensitive information such as username, password, credit card number, social security number etc.
Configure your server to use the "Content-Security-Policy" header with
secure policies
SHA-1 cipher suites were detected
Low
Port 18170 TLS 1.2 Bad cyphers
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Change server's supported cipher suites
Solution:
Missing or insecure "Content-Security-Policy" header
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware.
To enable CSP, you need to configure your web server to return the Content-Security-Policy HTTP header (sometimes you will see mentions of the X-Content-Security-Policy header, but that's an older version and you don't need to specify it anymore).
Alternatively, the <meta> element can be used to configure a policy, for example: <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';">
So we need to update web.xml for this setting (CSP).
Please see below link for (CSP) settings.
http://base.thep.lu.se/chrome/site/doc/html/appendix/web.xml.html
and go to E.1. Content security policy
Port 18170 TLS 1.2 Bad cyphers
This problem can be caused by multiple reasons like below.
#1: Misconfiguration
#2: Bad certificates (very common error)
Solution: Either the certificate need to be fixed or the application must import the certificate as trusted or use certificate / public key pinning.
#3: Certificate expired or not yet valid. (Less common error)
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center