HTTP strict Transport Security

We recently had a Burp Suite scan done and it found that "BurpSuite Found: 'Strict transport security not enforced' (Type: 16777984)"
To correct the issue, below is what was suggested:-

"The application should instruct web browsers to only access the application using HTTPS. To do this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in seconds that browsers should remember that the site should only be accessed using HTTPS. Consider adding the 'includeSubDomains' flag if appropriate."

How do I make those changes in Kibana?


You can try and achieve this by using the server.customResponseHeaders and specifying your own custom one.
The format for the setting is like this: Format of kibana server.customResponseHeaders

Thanks, setting the server.customResponseHeaders did work. Is there a similar for Elasticsearch?


1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.