This document describes the support position of Sustaining Engineering, relative to a McAfee Enterprise application.

McAfee Enterprise response to missing HTTP Security Headers and CWE-693:
 

Overview
This document addresses concerns about missing HTTP Security headers reported by vulnerability scanners on ePO. Review additional information at CWE-693: Protection Mechanism Failure.


Description
Some vulnerability scanners might tag the HTTP port 8443 and port 8444 with the following vulnerability:
 
The following headers are part of this vulnerability:

• X-Frame-Options
• X-XSS-Protection
• X-Content-Type-Options
• Content-Security-Policy
• Strict-Transport-Security

Research and Conclusions
Engineering researched this finding and concluded ePO is not vulnerable.

• X-Frame-Options: ePO adds X-Frame-Options uses SAMEORIGIN in all webpages that are served, and ePO is protected against clickjacking attacks.
• X-XSS-Protection: XSS injection and rendering are mitigated in multiple layers in ePO. Untrusted or user supplied data is properly stored (if needed) and escaped (encoded) while rendering to prevent XSS. ePO takes care of preventing XSS without the use of X-XSS-Protection header.
• X-Content-Type-Options: Most ePO content has accurate content type. Any content which doesn’t have content-type is static content, managed by ePO/MFS. User uploaded content has the appropriate content type to prevent MIMIE-Sniffing. Moreover, Chrome and Internet Explorer were prone to MIME sniff but with latest version of Chrome and Internet Explorer, MIME sniff isn’t possible.
• Content-Security-Policy: ePO doesn’t serve any HTML file that uses scripts loaded from external sources, hence lack of this header has no effect in the content being served.
• Strict-Transport-Security: Update to ePO 5.10 Update 9 or later. See KB93817 - How to verify the HTTP Strict Transport Security (HTTPS) is installed.

Disclaimer
Any future product release dates mentioned in this statement are intended to outline our general product direction. They must not be relied on in making a purchasing decision:

• The product release dates are for information purposes only, and might not be incorporated into any contract.
• The product release dates aren’t a commitment, promise, or legal obligation to deliver any material, code, or functionality.
• The development, release, and timing of any features or functionality described for our products, remains at our sole discretion. They might be changed or canceled at any time.