How to enable http strict transport security (HSTS)?

strattao · February 23, 2023, 2:08pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch 2.5

Describe the issue:
I want to enable hsts for the opensearch dashboards and for the opensearch service. I can’t figure out how to correctly set the hsts header.

Configuration:
Kibana allows this by enabling the server.securityResponseHeaders.strictTransportSecurity setting in the kibana.yml
How do I enable this for opensearch and opensearch-dashboards?

Relevant Logs or Screenshots:

pablo · February 23, 2023, 4:30pm

@strattao The server.securityResponseHeaders.strictTransportSecurity is not a part XPack security plugin but Kibana’s function.

I’m not aware of such functionality in OpenSearch’s security plugin. Following Kibana logic I would expect this option in OpenSearch Dashboards

I’ve tried to use it in the OpenSeach Dashboards 2.5 configuration and got the following error.

 FATAL  ValidationError: child "server" fails because ["securityResponseHeaders" is not allowed]

It looks unsupported at this point. You can try to report it as a feature request in OpenSeach Dashboards GitHub

Topic		Replies	Views
Continuing the discussion from [Strict-Transport-Security for opendistro](https://forum.opensearch.org/t/strict-transport-security-for-opendistro/4823) Security configure , feature-request , security-issue	1	40	September 11, 2024
Strict-Transport-Security for opendistro Security security-issue	2	730	February 3, 2021
An Error Is Reported When opensearch-dashboards Is Connected to the OpenSearch Cluster OpenSearch Dashboards install	2	168	June 6, 2024
OpenSearch Dashboards support for TLS1.3 Security security-issue	3	545	October 3, 2022
Opensearch Dashboards Security Plugin causes the Dashboards to stop working (ECONNREFUSED) Security	19	5904	October 24, 2022

How to enable http strict transport security (HSTS)?

Related topics