I encountered three security-related issues when using elasticserrch version 7.6.1. Thank you for your help.
How does elasticserrch configure http response headers, such as X-Content-Type-Options, X-XSS-Protection, Content-Security-Policy, Strict-Transport-Security, etc.
How does elasticserrch solve this security scanning problem "The target host may have a slow HTTP denial of service attack detected"
Are elasticserrch and http OPTIONS methods necessary? Where is he used? Can it be closed?
Can you explain in more details, why you need CORS and especially the other headers? Elasticsearch is not supposed to be available on the internet, and many of those headers are used for in-browser security, but an attacker would not care.
Can you explain what your security scanner is doing, instead of pasting the message of that security scanner, that would help a lot. I have an assumption, but that might be off, so some more context would be appreciated
What do you mean with "can it be closed"? In order to be a valid HTTP server that is used, and IIRC it is needed for CORS pre flight? (Would need to look it up to be sure, but that's what I remember on top of my head).
Just to reiterate and make sure:
Do not put Elasticsearch on the internet, unless you have TLS and Authentication/User management enabled". No matter, if your security scanner says, all is fine...
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
