Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch: 1.3 and 2.15
Describe the issue:
I am facing the issue with Strict-Transport-Security (HSTS), Missing Security Headers Security header from Open Search.
Is there any way to set custom headers for Open Search port or any other feasible solution available from Open search to address this HSTS security concern.
Note : This is not the problem with curl only, this issue is response from Open Search to any of the requested client. Need a common solution from server.
I have found a topic in the Github with a similar issue. Please take a look at the following discussion:
According to the documentation here, HSTS header is a hit for browsers do not use http. Redirection from HTTP to HTTPS creates an opportunity for a man-in-the-middle attack.
Usually, OpenSearch Dashboards is used in a browser. you can add a custom header for OpenSearch Dashboards as in the example below: