Guest

Preview Tool

Cisco Bug: CSCvi93955 - Security Header Not Detected - CWE-693: Protection Mechanism Failure

Last Modified

Aug 17, 2018

Products (1)

  • Cisco Firepower Management Center

Known Affected Releases

6.1.0 6.2.2 6.2.3

Description (partial)

Symptom:
HTTP Security Header scan of FMC and Firepower Gui may return the following result. 

[+] There are 1 security headers
[*] Header X-Frame-Options is present! (Value:  SAMEORIGIN)

[-] There are not 7 security headers

[!] Missing security header: X-XSS-Protection
[!] Missing security header: Content-Security-Policy
[!] Missing security header: X-Content-Type-Options
[!] Missing security header: Referrer-Policy
[!] Missing security header: Strict-Transport-Security
[!] Missing security header: Public-Key-Pins
[!] Missing security header: X-Permitted-Cross-Domain-Policies
-------------------------------------------------------

On FDM the following headers may report as missing. 

[+] There are 4 security headers

[*] Header X-Content-Type-Options is present! (Value:  nosniff)
[*] Header X-XSS-Protection is present! (Value:  1; mode=block)
[*] Header X-Frame-Options is present! (Value:  SAMEORIGIN)
[*] Header Strict-Transport-Security is present! (Value:  max-age=31536000 ; includeSubDomains)

[-] There are not 4 security headers

[!] Missing security header: Content-Security-Policy
[!] Missing security header: Referrer-Policy
[!] Missing security header: Public-Key-Pins
[!] Missing security header: X-Permitted-Cross-Domain-Policies

Conditions:
FirePOWER SW version 6.1 - 6.2.3
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.