STIGQter: STIG Summary: Web Server Security Requirements Guide Version: 2 Release: 3 Benchmark Date: 26 Apr 2019:

Web server cookies, such as session cookies, sent to the client using SSL/TLS must not be compressed.

DISA Rule

SV-70259r2_rule

Vulnerability Number

V-56005

Group Title

SRG-APP-000439-WSR-000153

Rule Version

SRG-APP-000439-WSR-000153

Severity

CAT II

CCI(s)

• CCI-002418 - The information system protects the confidentiality and/or integrity of transmitted information.

Weight

10

Fix Recommendation

Configure the web server to send the cookie to the client via SSL/TLS without using cookie compression.

Check Contents

Review the web server documentation and deployed configuration to determine whether cookies are being sent to the client using SSL/TLS.

If the transmission is through a SSL/TLS connection, but the cookie is not being compressed, this finding is NA.

If the web server is using SSL/TLS for cookie transmission and the cookie is also being compressed, this is a finding.

Vulnerability Number

V-56005

Documentable

False

Rule Version

SRG-APP-000439-WSR-000153

Severity Override Guidance

Review the web server documentation and deployed configuration to determine whether cookies are being sent to the client using SSL/TLS.

If the transmission is through a SSL/TLS connection, but the cookie is not being compressed, this finding is NA.

If the web server is using SSL/TLS for cookie transmission and the cookie is also being compressed, this is a finding.

Check Content Reference

M

Target Key

2557

Comments