Enforce Strict-Transport-Security for serverless offering
#154376
Labels
duplicate
enhancement
New value added to drive a business result
Feature:Hardening
Harding of Kibana from a security perspective
Team:Security
Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Comments
legrego
added
Team:Security
|
Pinging @elastic/kibana-security (Team:Security) |
|
Closing in favor of #150884 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The HTTP
Strict-Transport-Securityresponse header (often abbreviated as HSTS) informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS.Our serverless offering will always be served over HTTPS, and so we should configure this response header accordingly. That said, we want to make sure that this is NOT set by default for local development, as we don't want to require all devs to configure TLS.
We already expose this as a configuration option for on-prem installs, so it'll "just" be a matter of updating the configured value when running within a serverless context:
kibana/packages/core/http/core-http-server-internal/src/security_response_headers_config.ts
Lines 12 to 15 in 6ad108d
Recommended value
Strict-Transport-Security: max-age=31536000; includeSubDomains.The text was updated successfully, but these errors were encountered: