Content-Security-Policy & HTTP Public-Key-Pins

0

Hello

 

after some vulnerability/pentest scans against out public IP's we have some things to action

they only seem small to me but I dont know where to start

so in most cases I have a SSL VS with multiple sub-VS's for multiple websites

luckily the VS in question only has a few servers behind so the remediation should be minimal work I hope

 

below are the results assigned

Content-Security-Policy HTTP Security Header Not Detected - The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. This helps guard against cross-site scripting attacks (XSS).
QID Detection Logic:
This QID detects the absence of the Content-Security-Policy HTTP header by transmitting a GET request.

 

HTTP Public-Key-Pins Security Header Not Detected - HTTP Public Key Pinning (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates.
QID Detection Logic:
This QID detects the absence of the Public-Key-Pins HTTP header by transmitting a GET request.

 

my question is can I remediate these with a setting on the Kemp loadmaster as they are either doing ssl offloading or re-encryption

of do I need to investigate and change each real-server on the backend

 

or just any help on this topic would be great

 

0 comments