HTTP strict Transport Security

mbarker · March 15, 2019, 6:03pm

We recently had a Burp Suite scan done and it found that "BurpSuite Found: 'Strict transport security not enforced' (Type: 16777984)"
To correct the issue, below is what was suggested:-

"The application should instruct web browsers to only access the application using HTTPS. To do this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in seconds that browsers should remember that the site should only be accessed using HTTPS. Consider adding the 'includeSubDomains' flag if appropriate."

How do I make those changes in Kibana?

Thanks

Marius_Dragomir · March 22, 2019, 11:44am

Hello,
You can try and achieve this by using the server.customResponseHeaders https://www.elastic.co/guide/en/kibana/current/settings.html and specifying your own custom one.
The format for the setting is like this: Format of kibana server.customResponseHeaders

mbarker · March 27, 2019, 4:10pm

Thanks, setting the server.customResponseHeaders did work. Is there a similar for Elasticsearch?

Thanks

system · April 24, 2019, 4:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Security Header Elasticsearch	8	1435	October 1, 2020
Added HTTP Security Headers in Kibana Config *.yml File, but it's not reflection in the server please help me Kibana	3	2269	February 22, 2019
Kibana http requests instead of https? i.e. without encryption Kibana	5	1505	July 6, 2017
About the content security policies Kibana elastic-stack-security	0	187	June 14, 2024
Access secured Elasticsearch from Kibana Kibana	2	369	November 3, 2020

HTTP strict Transport Security

Related topics