Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch 2.5
Describe the issue:
I want to enable hsts for the opensearch dashboards and for the opensearch service. I can’t figure out how to correctly set the hsts header.
Configuration:
Kibana allows this by enabling the server.securityResponseHeaders.strictTransportSecurity setting in the kibana.yml
How do I enable this for opensearch and opensearch-dashboards?
Relevant Logs or Screenshots:
@strattao The server.securityResponseHeaders.strictTransportSecurity is not a part XPack security plugin but Kibana’s function.
I’m not aware of such functionality in OpenSearch’s security plugin. Following Kibana logic I would expect this option in OpenSearch Dashboards
I’ve tried to use it in the OpenSeach Dashboards 2.5 configuration and got the following error.
FATAL ValidationError: child "server" fails because ["securityResponseHeaders" is not allowed]
It looks unsupported at this point. You can try to report it as a feature request in OpenSeach Dashboards GitHub
Hi
I got same vulnerability HSTS Missing From HTTPS Server (RFC 6797) for opensearch and opensearch-dashboard
My opensaerch and opensearch-dashboard version is 2.15.0
I applied below settings in opesearch-dashboard.yml
server.customResponseHeaders:
Strict-Transport-Security: “max-age=31536000; includeSubDomains”
But I use same settings in opensearch but opensearch failed and shoing below error
java.lang.IllegalArgumentException: unknown setting [server.customResponseHeaders.Strict-Transport-Security] please check that any required plugins are installed, or check the breaking changes documentation for removed settings
Can anyone help here, How can I resolve same in opensearch?
@Ekta As far as I’m aware, HSTS is still not natively available in OpenSearch. You can try to use reverse proxy with HSTS header in front of the OpenSearch cluster.
You can’t enable HSTS directly in OpenSearch or OpenSearch Dashboards today, as there’s no built-in setting like in Kibana. The common workaround is to put a reverse proxy (e.g., Nginx or Apache) in front of your cluster and configure it to add the Strict-Transport-Security header. This way all traffic is enforced over HTTPS even though OpenSearch itself doesn’t natively support HSTS. You may compel your website to load over the HTTPS protocol using the HSTS security header in your server configuration. Hope it helps!