Description: Some customers performing vulnerability scans or penetration tests on the Linux machine hosting their OpenVPN Access Server receive a warning such as, "HTTP Security Header Not Detected." It's warning that the OpenVPN Access Server doesn't have the "HTTP security header" necessary to comply with the vulnerability scan.
Resolution: By default, OpenVPN Access Server doesn't implement HTTP security headers because it doesn't require these to function, but these can get flagged in a vulnerability scan. However, there is no security risk involved having OpenVPN Access Server without HTTP security headers.
If you must implement custom HTTP security headers for any reason, such as compliance, refer to specify custom HTTP headers. This requires OpenVPN Access Server 2.9.4 and newer.
Note: OpenVPN Access Server allows any custom HTTP security header. It's possible a custom header can certainly cause problems with how Access Server functions if it blocks certain things that Access Server needs. If that occurs, then we suggest removing those offending HTTP headers so that the OpenVPN Access Server can continue functioning.
If you have additional questions, please submit a ticket.