HTTP Security Header Not Detected - Vulnerability

Hello!

Scans in my company detected a vulnerability from the title - is there any way to set HTTP Headers on Elasticsearch?
We are using Elastic 6.8.0.

I assume you got this from an automated check like https://securityheaders.com?

That is for websites anybody would browse (and applies to Kibana for example), but it doesn't make much sense for a datastore; eg you wouldn't run this against MySQL (if it had an HTTP interface), right?

Sadly, no. This vulnerability is a result from QUALYS scanning.

I understand that this result may be a 'false positive' but I would be very gratefull if someone here would confirm it :slight_smile: As you pointed - Security Headers for Kibana would make a lot of sense, for Elasticsearch I don't really know, I guess not?

Different scanner but pretty much the same thing :slight_smile:

Are your users going to browse the Elasticsearch endpoints? I'm pretty sure the answer is no, so those headers don't make sense :man_shrugging:

2 Likes

@Zerobot You're welcome to mail security@elastic.co with the specific results if you want an official answer.

1 Like

Thank you very much, I'll do exactly that ! :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.