How to add http response header in Elasticsearch

I encountered three security-related issues when using elasticserrch version 7.6.1. Thank you for your help.

  1. How does elasticserrch configure http response headers, such as X-Content-Type-Options, X-XSS-Protection, Content-Security-Policy, Strict-Transport-Security, etc.
  2. How does elasticserrch solve this security scanning problem "The target host may have a slow HTTP denial of service attack detected"
  3. Are elasticserrch and http OPTIONS methods necessary? Where is he used? Can it be closed?

thank!

Can you explain in more details, why you need CORS and especially the other headers? Elasticsearch is not supposed to be available on the internet, and many of those headers are used for in-browser security, but an attacker would not care.

That said, there are a couple of CORS headers, that can be set, see Networking | Elasticsearch Guide [7.13] | Elastic

Can you explain what your security scanner is doing, instead of pasting the message of that security scanner, that would help a lot. I have an assumption, but that might be off, so some more context would be appreciated :slight_smile:

What do you mean with "can it be closed"? In order to be a valid HTTP server that is used, and IIRC it is needed for CORS pre flight? (Would need to look it up to be sure, but that's what I remember on top of my head).

Just to reiterate and make sure:

Do not put Elasticsearch on the internet, unless you have TLS and Authentication/User management enabled". No matter, if your security scanner says, all is fine...