Check: TCAT-AS-000030
Apache Tomcat 9 STIG:
TCAT-AS-000030
(in version v1 r0.1)
Title
HTTP Strict Transport Security (HSTS) must be enabled. (Cat III impact)
Discussion
HTTP Strict Transport Security (HSTS) instructs web browsers to only use secure connections for all future requests when communicating with a web site. Doing so helps prevent SSL protocol attacks, SSL stripping, cookie hijacking, and other attempts to circumvent SSL protection.
Check Content
From the Tomcat server console, run the following command: sudo grep -i -A5 -B8 hstsEnable $CATALINA_HOME/conf/web.xml file. If the httpHeaderSecurity filter is commented out or if hstsEnable is not set to "true", this is a finding.
Fix Text
From the Tomcat server as a privileged user, edit the web.xml file: sudo nano $CATALINA_HOME/conf/web.xml file. Uncomment the existing httpHeaderSecurity filter section or create the filter section using the following code: <filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <async-supported>true</async-supported> <hstsEnabled>true</hstsEnabled> </filter>
Additional Identifiers
Rule ID: TCAT-AS-000030_rule
Vulnerability ID: TCAT-AS-000030
Group Title: SRG-APP-000015-AS-000010
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001453 |
The information system implements cryptographic mechanisms to protect the integrity of remote access sessions. |
Controls
Number | Title |
---|---|
AC-17 (2) |
Protection Of Confidentiality / Integrity Using Encryption |