FOR HSTS Specifically:
Preface WARNING:Enabling HSTS will mean that the certificate should have the CN for the hostname that you are communicating it with.
Meaning, if you issued a cert for mxserver.example.net from your own CA, you cannot visit the page with IP Address anymore.
Same goes for gateway, if you have registered the GW with IP addresses instead of hostnames, it will likely cause GW to show up disconnected on MX after reboot. You can of course issue the CA cert with the IP address in the CN.
Support for how to get the right certificate issued is out of scope for imperva but we can assist in uploading the certificate to the MX and GW.
Steps to enable HSTS on MX and GW:
You can enable HSTS by editing the file (make a backup before editing):
/opt/SecureSphere/server/SecureSphere/jakarta-tomcat-secsph/conf/web.xml
Default:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
</filter>
Should be:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
</filter>
When you go to edit the file you can see more parameters you can configure that are relevant. If you are having issues, I strongly recommend opening a support ticket.
Once done, reboot the appliance. You will need a reboot and not a service restart.
------------------------------
Sarvesh Lad
Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)
------------------------------
Original Message:
Sent: 01-11-2023 13:22
From: Spencer Nassau
Subject: Vulnerability in MX & GW appliances
Hello Syed,
The documentation you provided is in regards to remediate HSTS for sites behind the WAF based on my reading. How do you remediate HSTS for communication with the actual appliance?
------------------------------
Spencer Nassau
Security Engineer
TREAS - OCC
Washington DC
Original Message:
Sent: 12-07-2022 23:02
From: Syed Noor Fazal
Subject: Vulnerability in MX & GW appliances
Hello Jagadesh,
Greetings!
Please follow the below guide for addressing the above mentioned vulnerabilities,
https://docs.imperva.com/bundle/v14.4-web-application-firewall-user-guide/page/69458.htm
------------------------------
Syed Noor Fazal
Product Support Engineer
Original Message:
Sent: 12-07-2022 13:21
From: Jagadesh Kumar R
Subject: Vulnerability in MX & GW appliances
Hello Sarvesh,
Thanks for the update,
These vulnerabilities are discovered in appliances.
------------------------------
Jagadesh Kumar R
Inormation Security Group, Assistant Manager
The Karur Vysya Bank Limited
Karur
Original Message:
Sent: 12-07-2022 13:05
From: Sarvesh Lad
Subject: Vulnerability in MX & GW appliances
Hi,
Are these discovered within the appliance itself or the sites the on-prem appliance is protecting?
I'm asking cause a GW doesn't have a GUI.
------------------------------
Sarvesh Lad
Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)
Original Message:
Sent: 12-02-2022 08:34
From: Jagadesh Kumar R
Subject: Vulnerability in MX & GW appliances
Dear everyone,
The below mentioned vulnerability was recently discovered in MX and GW appliances version 13.6.0.51.
Missing content security policy
No Cache-control and pragma HTTP header set
HTML5: Cross Site Scripting Protection Not Set
Web Server Misconfiguration: Insecure Content type setting
Insecure Transport: HSTS Not Set
Cross Frame Scripting
If anyone overcome this vulnerability from pentesting team, looking for an update.
#On-PremisesWAF(formerlySecuresphere)
------------------------------
Jagadesh Kumar R
Inormation Security Group, Assistant Manager
The Karur Vysya Bank Limited
Karur
------------------------------