STIGQter STIGQter: STIG Summary: Apache Server 2.4 Windows Server Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The Apache web server cookies, such as session cookies, sent to the client using SSL/TLS must not be compressed.

DISA Rule

SV-214355r505936_rule

Vulnerability Number

V-214355

Group Title

SRG-APP-000439-WSR-000153

Rule Version

AS24-W1-000860

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Perform the following to implement the recommended state:

Search the Apache configuration files for the "SSLCompression" directive. If the directive is present, set it to "Off".

Restart the Apache service.

Check Contents

Search the Apache configuration files for the "SSLCompression" directive.

If the "SSLCompression" directive does not exist, this is a not a finding.

If the "SSLCompression" directive exists and is not set to "Off", this is a finding.

Vulnerability Number

V-214355

Documentable

False

Rule Version

AS24-W1-000860

Severity Override Guidance

Search the Apache configuration files for the "SSLCompression" directive.

If the "SSLCompression" directive does not exist, this is a not a finding.

If the "SSLCompression" directive exists and is not set to "Off", this is a finding.

Check Content Reference

M

Target Key

3998

Comments