Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About Nginx/HTTP Web Security Features
-
SSL/TLS Version for HTTP secure-server -- This enhancement is used to specify the TLS version to be used for HTTPS Server and HTTPS client sessions. -
HTTPS Server command -- By default, it supports three versions. If you want to use a particular version for the sessions, you can specify by configuring the ip http tls-version command in global configuration mode. The versions are TLSv1.0, TLSv1.1, and TLSv1.2.
-
HTTPS Client command -- By default, it supports three versions. If you want to use a particular version for the sessions, you can specify by configuring the ip http client tls-version command in global configuration mode. The versions are TLSv1.0, TLSv1.1, and TLSv1.2.
-
Note |
These commands allow you to set the particular version used for sessions. The underlying SSL infrastructure supports the option of specifying either all or only one TLS version. Hence the HTTPS provides the option to specify the individual version. Use the no form of the command to remove the configuration. |
- Security Header Enhancements
-
HTTP Server – The following headers are the web server security enhancements. The actual headers and respective values appear in the response by default:
X-XSS-Protection: 1; mode=block -- This header indicates that XSS protection is enabled [ value 1 ] and if the browser finds any attack, it should block rendering the page.
X-Frame-Options: SAMEORIGIN - Allows the contents to be rendered in a frame if it belongs to the same domain.
X-Content-Type-Options: nosniff - Prevents the browser from doing MIME-type sniffing.
Strict-Transport-Security: max-age=7884000 - Strict-Transport-Security HTTP header. Use the [no] ip http HSTS-Header to enable/disable this header for IOS applications. By default, it is enabled and use the no ip http HSTS-Header command disable this header from the response.
- Nginx – Web user
interface - Nginx applications take care of the headers for their response. As
Web UI is one of the NginX application, it adds the security headers. The three
headers are the following:
-
X-XSS-Protection: 1; mode=block
-
X-Frame-Options: SAMEORIGIN
-
X-Content-Type-Options: nosniff
-
-
Verifying the Configured Version
Use the show ip http client all command to see the currently enabled TLS version.
Device# show ip http client all
<snip>
Maximum number of requests allowed on a connection: 25
Server linger time : 60 seconds
HTTP server active session modules: ALL
HTTP secure server capability: Present
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha aes-128-cbc-sha
aes-256-cbc-sha dhe-aes-128-cbc-sha ecdhe-rsa-3des-ede-cbc-sha
HTTP secure server TLS version: TLSv1.2 TLSv1.1 TLSv1.0 <<<This line shows the TLS version that is enabled.
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: ALL
<snip>
Use the show http server status command to see the currently enabled TLS version.
Device# show http server status
<snip>
Maximum number of concurrent server connections allowed: 50
Maximum number of secondary server connections allowed: 50
Server idle time-out: 180 seconds
Server life time-out: 180 seconds
Server session idle time-out: 180 seconds
Maximum number of requests allowed on a connection: 25
Server linger time : 60 seconds
HTTP server active session modules: ALL
HTTP secure server capability: Present
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha aes-128-cbc-sha
aes-256-cbc-sha dhe-aes-128-cbc-sha ecdhe-rsa-3des-ede-cbc-sha
HTTP secure server TLS version: TLSv1.2 TLSv1.1 TLSv1.0 <<<This line shows the TLS version that is enabled.
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
<snip>
Additional References
Related Documents
Related Topic |
Document Title |
---|---|
Additional HTTP configuration information |
Using the Cisco Web Browser User Interface |
Additional HTTPS configuration information |
HTTPS - HTTP Server and Client with SSL 3.0 |
Additional HTTP and HTTPS commands |
Cisco IOS Network Management Command Reference |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature Information for Nginx/HTTP -- Web Security Features
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
Nginx/HTTP -- Web Security Features |
Cisco IOS XE Everest 16.4.1 Release |
For the Cisco IOS XE Everest 16.4.1 release, the following web security enhancements have been included:
|