Environment
Cb Response 5.2.x and 6.x
Symptoms
Failed Qualys (or other) Security scan on Cb Response web UI |
Cause
Lean Nginx config
Resolution
In /etc/cb/nginx/conf.d/includes/cb.server.body:
Original:
# Enable Strict Transport Security (HSTS) add_header Strict-Transport-Security max-age=31536000; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; |
Updated for security scan:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'"; add_header Public-Key-Pins 'pin-sha256="generatebase64fromcertbeingused"; \ max-age=10'; |
Notes
Note: Depending on scanning tool and results, you may need to adjust the content security policy for properties like img-src, font-src, etc.
You may also need to update your ciphers.
From:
ssl_ciphers FIPS@STRENGTH:!aNULL:!eNULL; |
To
ssl_ciphers FIPS@STRENGTH:!aNULL:!eNULL:!3DES:!DES; |