Added HTTP Security Headers in Kibana Config *.yml File, but it's not reflection in the server please help me

server.customResponseHeaders: { "Strict-Transport-Security" : "max-age= 31536000; includeSubdomains"}
server.customResponseHeaders: { "X-Content-Type-Options": "nosniff"}
server.customResponseHeaders: { "X-XSS-Protection": "1; mode=block"}
server.customResponseHeaders: { "X-Frame-Options": "allow-from domainurl"}
server.customResponseHeaders: { "Cache-Control" : "no-cache"}

I'm not sure Kibana supports this natively - someone may know better on this. I have done this before by putting Kibana behind an nginx reverse proxy and defining my security headers in the nginx.conf.

DigitalOcean provides some fairly straightforward guides on setting up nginx as a reverse proxy for Kibana. You could simply leave out the authentication piece if you aren't looking for authentication (especially if you are already using Security). Here is a guide for Ubuntu 18.04: https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch-logstash-and-kibana-elastic-stack-on-ubuntu-18-04

Here is an example security header configuration in nginx: https://gist.github.com/plentz/6737338 This is billed as "The Best" configuration but I would pick and choose what I use based on my needs as there is plenty I wouldn't use from that configuration.

Thanks for the Update. But we need to do the setting via kibana yml file. Any help will be much appreciated.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.