HSTS stands for HTTP Strict-Transport-Security.  HSTS is turned off in vCommander by default since it restricts both the admin and portal interfaces to run on port 443.

HSTS is not a vulnerability, it is a configuration choice.  Out of the box vCommander does not have HSTS enabled and enabling it does not provide extra security since vCommander does not serve content over port 80 and has a re-direct in place to automatically redirect all connections from port 80 to 443.



Requirements


  • vCommander and portal interfaces must be set to run on port 443. You cannot run portal on a different port.
  • vComamnder must have a valid certificate that ALL clients accept.

Steps To Enable HSTS in vCommander


1.  Edit <install dir>/tomcat/conf/server.xml

            Make sure that unpackWARS is enabled


            unpackWARs=”true”


2. If it is set to “false” then you will need to set it to true then restart the vCommander windows service.

3. Stop the vCommander windows service

4.  Edit 5 web.xml files

            <install dir>/tomcat/webapps/newui/WEB-INF/web.xml

            <install dir>/tomcat/webapps/admin/WEB-INF/web.xml

            <install dir>/tomcat/webapps/ng-ui/WEB-INF/web.xml

            <install dir>/tomcat/webapps/portal/WEB-INF/web.xml

<install dir>/\tomcat\webapps\expiryextension\WEB-INF/ web.xml



            Add the following after the last </filter-mapping> entry in each web.xml file (for expiryextension add this on line 111)


  <filter-mapping>

                        <filter-name>httpHeaderSecurity</filter-name>

                        <url-pattern>/*</url-pattern>

                        <dispatcher>REQUEST</dispatcher>

            </filter-mapping>

           

            <filter>

                        <filter-name>httpHeaderSecurity</filter-name>

                        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>

                        <async-supported>true</async-supported>

                        <init-param>

                                    <param-name>hstsEnabled</param-name>

                                    <param-value>true</param-value>

                        </init-param>

                        <init-param>

                                    <param-name>hstsMaxAgeSeconds</param-name>

                                    <param-value>31536000</param-value>

                        </init-param>

                        <init-param>

                                    <param-name>hstsIncludeSubDomains</param-name>

                                    <param-value>true</param-value>

                        </init-param>

                        <init-param>

                                    <param-name>antiClickJackingEnabled</param-name>

                                    <param-value>false</param-value>

                        </init-param>

            </filter>



5. Start the vCommander windows service.