1.8.3 Ensure 'HTTP idle timeout' is less than or equal to '5' minutes

Information

Sets the timeout for an HTTP session idle before the security appliance terminates it.

Rationale:

Limiting session idle timeout prevents unauthorized users from using abandoned sessions to perform malicious activities.

Solution

Step 1: Run the following to set the HTTP timeout to less than or equal to 5 minutes

hostname(config)# http server idle-timeout 5

Default Value:

The default session timeout value is 20 minutes.

See Also

https://workbench.cisecurity.org/benchmarks/7194