X-Content-Type-Options HTTP Header missing on port 8080 and 8081

angelawong · August 30, 2022, 3:13pm

My server was recently scanned by our security office and they have come up with the following errors. Any advice on how I can take care of the absence of HTTP headers?

X-Content-Type-Options HTTP Header missing on port 8080 
X-Content-Type-Options HTTP Header missing on port 8080

This is how my virtual host setting looks like:

<VirtualHost *:80>
  # Guarantee HTTPS for 1 Year including Sub Domains 
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    
    ServerName test.gov
    ServerAdmin awong@somewhere.com
    Redirect permanent / https://test.gov/
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301]
</VirtualHost>
 
<VirtualHost *:443>
  # Guarantee HTTPS for 1 Year including Sub Domains 
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

    ServerName test.gov
    ServerAlias test.gov
    ServerAdmin awong@somewhere.com
    ErrorLog ${APACHE_LOG_DIR}/test-error.log
    CustomLog ${APACHE_LOG_DIR}/test-access.log combined
    LogLevel warn
     
    SSLEngine on 
    SSLCertificateFile /etc/ssl/certs/wildcard_gov.crt
    SSLCertificateKeyFile /etc/ssl/private/wildcard_gov.key
    SSLCertificateChainFile /etc/ssl/certs/DigiCert_SHA2_Secure_Server_CA.crt
    SSLProtocol -all +TLSv1.2 +TLSv1.3

    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

    <IfModule mod_rewrite.c>
      RewriteEngine On

      # serving icons from apache 2 server
      RewriteRule ^/icons/ - [L]

      RewriteRule ^/(.*)$ balancer://zopeInstances/VirtualHostBase/https/%{SERVER_NAME}:443/test/VirtualHostRoot/$1 [L,P]
      <Proxy balancer://zopeInstances>
        BalancerMember http://127.0.0.1:8080
        BalancerMember http://127.0.0.1:8081
      </Proxy>
    </IfModule>

    <IfModule mod_proxy.c>
      ProxyVia On
      # prevent the webserver from being used as proxy
      <LocationMatch "^[^/]">
        Deny from all
      </LocationMatch>
    </IfModule>

 </VirtualHost>

I have also have the following in my apache.conf file:

Header always set Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

# HTTP Public Key Pinning
Header always set Public-Key-Pins "pin-sha256='X3pGTSOuJeEVw989IJ/cEtXUEIsInsdj3xK8QrZbHec='; pin-sha256='MHJYVThihUrJcxW6wcqyOMHJYVThihUrJcxW6w='; pin-sha256='isi41AizREkLvvft0IRW4u3XMFR52zs1TZQrU06KUKg='; includeSubdomains; max-age=2592000"

# X-Xss-Protection
Header always set X-XSS-Protection "1; mode=block"

# X-Content-Type-Options
Header always set X-Content-Type-Options "nosniff"

php_flag  display_errors  off

Any help or advice would be most appreciated.

Thanks so much,
Angela

dieter · August 30, 2022, 4:35pm

Angela Wong via Plone Community wrote at 2022-8-30 15:23 +0000:

...
My server was recently scanned by our security office and they have come up with the following errors. Any advice on how I can take care of the absence of HTTP headers?
X-Content-Type-Options HTTP Header missing on port 8080
...
Any help or advice would be most appreciated.

You can set additional headers via Apache -- consult its
documenttion.

The reference to ports 8080 and 8081 suggests that
the check has been performed against Plone itself, not
against Apache.
Usually, you would ensure that there is no "external" access
to Plone itself. In this case, a vulnerability check
for Plone itself should not be necessary (as attackers could
only access Apache).

You can set additional headers in Plone itself
via a SiteAccess "access rule" (a TTW approach) or
a zope.traversing.interfaces.IBeforeTraverseEvent
(an object event) subscriber.
The corresponding event is notified when a portal
is traversed.

angelawong · August 30, 2022, 8:28pm

Thanks so much, @dieter. I am now waiting on my security people to see if they are scanning Apache or Plone.

While I wait, I am curious about how to add those access rules. Do you add them under Site Settings > Content Rules? I don't quite understand what you mean by "via SiteAccess 'access rule' (a TTW approach)". Please advise. Thanks so much.

dieter · August 30, 2022, 10:38pm

Angela Wong via Plone Community wrote at 2022-8-30 20:38 +0000:

...
While I wait, I am curious about how to add those access rules. Do you add them under Site Settings > Content Rules? I don't quite understand what you mean by "via SiteAccess 'access rule' (a TTW approach)". Please advise. Thanks so much.

An "access rule" is added via the ZMI (= "Zope Management Interface")
(from its "add list").
You set a Zope object (usually a "Script (Python)" or "External Method")
as access rule.