Dell Unity: Vulnerability: QID: 11827- HTTP Security Header Not Detected (User Correctable)
Summary: Customer received vulnerability report: Vulnerability: QID: 11827- HTTP Security Header Not Detected.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Security Article Type
Security KB
CVE Identifier
No CVE ID
Issue Summary
QID 11827 is reported when the following HTTP headers are missing:
X-Frame-Options, X-XSS-Protection HTTP and X-Content-Type-Options.
- X-Frame-Options response header is used to secure applications against clickjacking vulnerability. A web application is protected against the clickjacking vulnerability if the response page for any link on the site has the above HTTP response header set. In order for the page to be protected the value for X-Frame-Options should either be either DENY or SAMEORIGIN and it is not case sensitive.
- X-XSS-Protection HTTP header enables the XSS filter on the browser to prevent cross-site scripting attacks.
- X-Content-Type-Options HTTP header is used to prevent attacks based on MIME-type mismatch. If this header is set, the content type specified in this header is taken in to consideration during interpretation of the content.
Recommendations
Upgrade to release 5.3 for the fix for this issue.
5.3 Release notes:
https://dl.dell.com/content/manual23013845-dell-unity-family-release-notes-5-3-0-0-5-120.pdf?language=en-us
Functional area:
Security
Feature description:
New HTTP Security
headers have been
implemented.
Summary of benefits:
These security headers provide an additional layer of defense against cross-site
scripting attacks and MIME sniffing attacks for vulnerable browsers.
Unity Security Configuration Guide:
https://dl.dell.com/content/manual51661175-dell-unity-family-security-configuration-guide.pdf?language=en-us
HTTP security headers for port 443
New HTTP Security headers have been implemented in Unity OE version 5.3 and later. The headers give instructions to the
browser about how to behave when handling website content from the Unity web server. These security headers provide an
additional layer of defense against cross-site scripting attacks and MIME sniffing attacks for vulnerable browsers.
The following new HTTP headers are implemented in the Unity web server:
● X-Content-Type-Options
● Content-Security-Policy
These new HTTP headers are available on port 443.
5.3 Release notes:
https://dl.dell.com/content/manual23013845-dell-unity-family-release-notes-5-3-0-0-5-120.pdf?language=en-us
Functional area:
Security
Feature description:
New HTTP Security
headers have been
implemented.
Summary of benefits:
These security headers provide an additional layer of defense against cross-site
scripting attacks and MIME sniffing attacks for vulnerable browsers.
Unity Security Configuration Guide:
https://dl.dell.com/content/manual51661175-dell-unity-family-security-configuration-guide.pdf?language=en-us
HTTP security headers for port 443
New HTTP Security headers have been implemented in Unity OE version 5.3 and later. The headers give instructions to the
browser about how to behave when handling website content from the Unity web server. These security headers provide an
additional layer of defense against cross-site scripting attacks and MIME sniffing attacks for vulnerable browsers.
The following new HTTP headers are implemented in the Unity web server:
● X-Content-Type-Options
● Content-Security-Policy
These new HTTP headers are available on port 443.
Legal Disclaimer
Affected Products
Dell EMC UnityArticle Properties
Article Number: 000215975
Article Type: Security KB
Last Modified: 21 Aug 2023
Version: 1
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.