LTM Management UI Security Settings
I'm running several BIG-IP LTM 5250F appliances on v13.1.0.7. After a recent security audit, the following five items were flagged against the web UI management page. Does anyone know if it is possible to modify and remediate any of these items?
-
Autocomplete HTML Attribute Not Disabled for Password Field (suggested remediation: If the "autocomplete" attribute is missing in the "password" field of the "input" element, add it and set it to "off".)
-
Request vulnerable to Cross-site Request Forgery (suggested remediation: The application should implement anti-CSRF tokens into all requests that perform actions which change the application state or which add/modify/delete content.)
-
Missing "X-Content-Type-Options" header (suggested remediation: Configure your server to send the "X-Content-Type-Options" header with value "nosniff" on all outgoing requests.)
-
Missing "X-XSS-Protection" header (suggested remediation: Configure your server to send the "X-XSS-Protection" header with value "1" (i.e. Enabled) on all outgoing requests.)
-
Information Disclosure in Session Cookie [Username] (suggested remediation: Prevent the application from disclosing data or information within the session cookie.)