HTTP Security Header Not Detected - Vulnerability


Scans in my company detected a vulnerability from the title - is there any way to set HTTP Headers on Elasticsearch?
We are using Elastic 6.8.0.

I assume you got this from an automated check like

That is for websites anybody would browse (and applies to Kibana for example), but it doesn't make much sense for a datastore; eg you wouldn't run this against MySQL (if it had an HTTP interface), right?

Sadly, no. This vulnerability is a result from QUALYS scanning.

I understand that this result may be a 'false positive' but I would be very gratefull if someone here would confirm it :slight_smile: As you pointed - Security Headers for Kibana would make a lot of sense, for Elasticsearch I don't really know, I guess not?

Different scanner but pretty much the same thing :slight_smile:

Are your users going to browse the Elasticsearch endpoints? I'm pretty sure the answer is no, so those headers don't make sense :man_shrugging:


@Zerobot You're welcome to mail with the specific results if you want an official answer.

1 Like

Thank you very much, I'll do exactly that ! :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.