HSTS configuration for ElasticSearch

Ravi_GH · January 6, 2021, 9:10am

We have HSTS vulnerability for Elasticsearch server (v7.5.2 & v6.8.6) as mentioned @ https://www.tenable.com/plugins/nessus/142960

How to enable HSTS for the elasticsearch server.

TimV · January 7, 2021, 12:13am

There is no option to enable HSTS in Elasticsearch other than to place a proxy in front of it.

However, because Elasticsearch can only listen on one of HTTP or HTTPS, but not both simultaneously, it is not susceptible to downgrade attacks, unless they are also accompanied by DNS hijacking.

system · February 4, 2021, 12:13am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
HSTS Missing From HTTPS Server for elasticsearch Elasticsearch elastic-stack-security	2	296	March 6, 2024
Access Elasticsearch with HTTPs and HTTP Elasticsearch	2	1355	September 8, 2023
HTTPS and HTTP Elasticsearch	1	24	November 4, 2024
Issue while Configuring SSL, TLS, and HTTPS to secure Elasticsearch Elasticsearch elastic-stack-security	2	460	August 20, 2019
Enabling http & https connections to elastic Elasticsearch elastic-stack-security	3	766	July 15, 2021

HSTS configuration for ElasticSearch

Related topics