After I upgraded the elastic stack to 8.6.0 and carried out a vulnerability scan on Kibana using the microfocus tool, there were vulnerabilities as follows:
I have made changes to the Kibana configuration, namely changing
server.customResponseHeaders:
Cache-Control: "no-cache, no-store"
but that does not solve the problem, this vulnerability is still detected in the next scan.
Please suggest me any solution to rectify this.
Hi,
Kibana uses the following Cache-Control directives to ensure that content is not cached:
Cache-Control: private, no-cache, no-store, must-revalidate
Static assets like script files (which do not contain any user data) should be cached by the browser for improved performance and use the following directive:
Cache-Control: must-revalidate
I can't verify which directives your scanner is picking up since you haven't posted those details but if that's not what you're getting you might have an upstream proxy or load balancer interfering with the header.
I can see from the report that the scanner has made a request to https://centrallogs-uat.danamon.co.id/translations/en.json. This is a static asset (english language bundle) and does not contain any user data. As such this file is safe to cache by browsers and you can safely ignore this warning.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.