Hello!
Scans in my company detected a vulnerability from the title - is there any way to set HTTP Headers on Elasticsearch?
We are using Elastic 6.8.0.
I assume you got this from an automated check like https://securityheaders.com?
That is for websites anybody would browse (and applies to Kibana for example), but it doesn't make much sense for a datastore; eg you wouldn't run this against MySQL (if it had an HTTP interface), right?
Sadly, no. This vulnerability is a result from QUALYS scanning.
I understand that this result may be a 'false positive' but I would be very gratefull if someone here would confirm it 
As you pointed - Security Headers for Kibana would make a lot of sense, for Elasticsearch I don't really know, I guess not?
Different scanner but pretty much the same thing 
Are your users going to browse the Elasticsearch endpoints? I'm pretty sure the answer is no, so those headers don't make sense 
2 Likes
@Zerobot You're welcome to mail security@elastic.co with the specific results if you want an official answer.
1 Like
Thank you very much, I'll do exactly that !
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.