Security Header

Any thoughts on how to configure the following HTTP secure headers:

  1. X-Frame-Options: deny
  2. X-XSS-Protection: 1; mode=block
  3. X-Content-Type-Options: nosniff
  4. Strict-Transport-Security: max-age=31536000 ; includeSubDomains

versions that I'm using:
elasticsearch-7.9.0-1.x86_64
kibana-7.9.0-1.x86_64
logstash-7.8.0-1.noarch
metricbeat-7.9.0-1.x86_64
filebeat-7.9.0-1.x86_64

Welcome to our community! :smiley:

Can you elaborate where you want to enable them?

Thanks Mark.

Basically this is for web-hardening, can these be added in Kibana.yml? It's just that I don't know how.

Right but it's not clear where you want these added. External only? Everywhere? Just between products in the stack? Something else?

This Kibana should be only reachable within our network.

This Kibana service is located in one server only.

Any thoughts on this please? thanks

I'm not clear on why access control and a firewall would not work?

Our client wants more security. Here's what they told us

For your reference as well, SSL is not enough to secure a web application. Coming from our past previous experience the common entry of our attacks is because of this weak security configuration. when I say this. Those are the enabled SSL sites we have but have no secure headers. This has been our standard in our security.

Example:
Strict-Transport-Security
When a site performs a 301 redirect from the http to the https version of a site, the redirect does not fully protect the site visitor, since it can be intercepted between when the visitor requests the http version of the site. This web server is already vulnerable to a man in the middle attacks. By having this the attacker can have a lot of opportunity to stage further advance attacks that may lead to information disclosure.