HTTP strict Transport Security

#1

We recently had a Burp Suite scan done and it found that "BurpSuite Found: 'Strict transport security not enforced' (Type: 16777984)"
To correct the issue, below is what was suggested:-

"The application should instruct web browsers to only access the application using HTTPS. To do this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in seconds that browsers should remember that the site should only be accessed using HTTPS. Consider adding the 'includeSubDomains' flag if appropriate."

How do I make those changes in Kibana?

Thanks

(Marius Dragomir) #2

Hello,
You can try and achieve this by using the server.customResponseHeaders https://www.elastic.co/guide/en/kibana/current/settings.html and specifying your own custom one.
The format for the setting is like this: Format of kibana server.customResponseHeaders

#3

Thanks, setting the server.customResponseHeaders did work. Is there a similar for Elasticsearch?

Thanks

(system) closed #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.