HTTP strict Transport Security

mbarker · March 15, 2019, 6:03pm

We recently had a Burp Suite scan done and it found that "BurpSuite Found: 'Strict transport security not enforced' (Type: 16777984)"
To correct the issue, below is what was suggested:-

"The application should instruct web browsers to only access the application using HTTPS. To do this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in seconds that browsers should remember that the site should only be accessed using HTTPS. Consider adding the 'includeSubDomains' flag if appropriate."

How do I make those changes in Kibana?

Thanks

Marius_Dragomir · March 22, 2019, 11:44am

Hello,
You can try and achieve this by using the server.customResponseHeaders https://www.elastic.co/guide/en/kibana/current/settings.html and specifying your own custom one.
The format for the setting is like this: Format of kibana server.customResponseHeaders

mbarker · March 27, 2019, 4:10pm

Thanks, setting the server.customResponseHeaders did work. Is there a similar for Elasticsearch?

Thanks

system · April 24, 2019, 4:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
About the content security policies Kibana elastic-stack-security	0	171	June 14, 2024
External SSL for inter-node communication Elasticsearch elastic-stack-security	2	297	August 24, 2021
Set up basic security for the Elastic Stack plus secured HTTPS traffic Elasticsearch elastic-stack-security	1	298	May 1, 2024
Kibana in K8 failed create token in http Elastic Security	2	249	March 28, 2024
Applying SSL to Elasticsearch and Kibana: Connection refused on Kibana Elasticsearch	55	1442	May 16, 2024

HTTP strict Transport Security

Related Topics