logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Nginx Configuration for Security Scans

Nginx Configuration for Security Scans

Environment

Cb Response 5.2.x and 6.x

Symptoms

Failed Qualys (or other) Security scan on Cb Response web UI

Cause

Lean Nginx config

Resolution

In /etc/cb/nginx/conf.d/includes/cb.server.body:

Original:

# Enable Strict Transport Security (HSTS)

add_header Strict-Transport-Security max-age=31536000;

add_header X-Frame-Options DENY;

add_header X-Content-Type-Options nosniff;

Updated for security scan:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

add_header X-Frame-Options SAMEORIGIN;

add_header X-Content-Type-Options nosniff;

add_header X-XSS-Protection "1; mode=block";

add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'";

add_header Public-Key-Pins 'pin-sha256="generatebase64fromcertbeingused"; \ max-age=10';

Notes

Note: Depending on scanning tool and results, you may need to adjust the content security policy for properties like img-src, font-src, etc.

You may also need to update your ciphers.

From:

ssl_ciphers   FIPS@STRENGTH:!aNULL:!eNULL;

To

ssl_ciphers FIPS@STRENGTH:!aNULL:!eNULL:!3DES:!DES;

Labels (2)
Was this article helpful? Yes No
100% helpful (2/2)
Article Information
Author:
dnewsom
Creation Date:
‎11-01-2017
Views:
2314
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.