Access official resources from Carbon Black experts
Cb Response 5.2.x and 6.x
Failed Qualys (or other) Security scan on Cb Response web UI
Lean Nginx config
In /etc/cb/nginx/conf.d/includes/cb.server.body:
Original:
# Enable Strict Transport Security (HSTS)
add_header Strict-Transport-Security max-age=31536000;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
Updated for security scan:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'";
add_header Public-Key-Pins 'pin-sha256="generatebase64fromcertbeingused"; \ max-age=10';
Note: Depending on scanning tool and results, you may need to adjust the content security policy for properties like img-src, font-src, etc.
You may also need to update your ciphers.
From:
ssl_ciphers FIPS@STRENGTH:!aNULL:!eNULL;
To
ssl_ciphers FIPS@STRENGTH:!aNULL:!eNULL:!3DES:!DES;
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.