Xylok Security Suite must prevent access except through HTTPS.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-269573	SRG-APP-000014	XYLK-20-000006	SV-269573r1054093_rule	2024-12-13	1

Description
Preventing access, except via HTTPS, ensures security and protects sensitive data. HTTP_ONLY: If true, disables listening on the HTTPS port and allows all calls to happen over HTTP. This must be set to false. HTTPS encrypts data transmitted between the client (browser) and the server. Sensitive information, such as login credentials, personal data, and session cookies, is protected from being intercepted by malicious actors (e.g., through man-in-the-middle attacks) during transmission. When data is sent over HTTP (unencrypted), it can be intercepted and altered. HTTPS mitigates this by encrypting the communication. HTTPS uses digital certificates (SSL/TLS certificates) to authenticate the server’s identity. This ensures that users are connecting to the legitimate server rather than a malicious entity attempting to impersonate the site. HTTPS-only policies enable the use of HSTS, which forces browsers to only interact with the site using HTTPS and prevents users from being redirected to an HTTP version of the site. This can defend against certain attacks, like SSL stripping, which downgrade connections to HTTP. Satisfies: SRG-APP-000014, SRG-APP-000142, SRG-APP-000219, SRG-APP-000411, SRG-APP-000412, SRG-APP-000439, SRG-APP-000440, SRG-APP-000442, SRG-APP-000514, SRG-APP-000555, SRG-APP-000645

Description

Preventing access, except via HTTPS, ensures security and protects sensitive data. HTTP_ONLY: If true, disables listening on the HTTPS port and allows all calls to happen over HTTP. This must be set to false. HTTPS encrypts data transmitted between the client (browser) and the server. Sensitive information, such as login credentials, personal data, and session cookies, is protected from being intercepted by malicious actors (e.g., through man-in-the-middle attacks) during transmission. When data is sent over HTTP (unencrypted), it can be intercepted and altered. HTTPS mitigates this by encrypting the communication. HTTPS uses digital certificates (SSL/TLS certificates) to authenticate the server’s identity. This ensures that users are connecting to the legitimate server rather than a malicious entity attempting to impersonate the site. HTTPS-only policies enable the use of HSTS, which forces browsers to only interact with the site using HTTPS and prevents users from being redirected to an HTTP version of the site. This can defend against certain attacks, like SSL stripping, which downgrade connections to HTTP. Satisfies: SRG-APP-000014, SRG-APP-000142, SRG-APP-000219, SRG-APP-000411, SRG-APP-000412, SRG-APP-000439, SRG-APP-000440, SRG-APP-000442, SRG-APP-000514, SRG-APP-000555, SRG-APP-000645

ℹ️ Check
Verify HTTP_ONLY is set to "false": $ grep HTTP_ONLY /etc/xylok.conf HTTP_ONLY=false If "HTTP_ONLY=true" or is not configured, this is a finding.

✔️ Fix
Add/Amend HTTP_ONLY to the configuration files: 1. As root, open /etc/xylok.conf in a text editor. 2. Add/Amend the following to the configuration file: HTTP_ONLY=false 3. Restart Xylok to apply settings by executing the following: # systemctl restart xylok