Openfire, vulnerability scanning reports absence of HTTP headers

Hi

We installed Openfire at a customer which does vulnerability scanning. They came back with a.o. the following:

the absence of the following HTTP headers (OWASP Secure Headers Project | OWASP Foundation) according to CWE-693: Protection Mechanism Failure (CWE - CWE-693: Protection Mechanism Failure (4.15)):

X-Content-Type-Options: This HTTP header will prevent the browser from interpreting files as a different MIME type to what is specified in the Content-Type HTTP header.

Strict-Transport-Security: The HTTP Strict-Transport-Security response header (HSTS) allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.

These should be set as follows:

X-Content-Type-Options: nosniff 
Strict-Transport-Security: max-age=< [;includeSubDomains]

Can I apply a configuration on the openfire webserver so that this is solved?

Thanks

Mark

1 Like

Hi Mark,

Thanks for suggesting these improvements. I have raised these tickets to track these requests:

I do not think that you can easily add these headers, without changes to Openfire’s code.

1 Like