Strict-Transport-Security for opendistro

asfoorial · February 2, 2021, 3:19pm

Good day,

Is there a way to configure address RFC6797 vulnerability and force Strict-Transport-Security in the server headers?

I was able to do it in Kibana by including server.customResponseHeaders in kibana.yml

I was not able to find an equivalent configuration is elasticsearch. I was wondering if opendistro has such configuration?

Thanks,
Hasan

pablo · February 3, 2021, 10:46am

Elasticsearch in opendistro won’t response to HTTP curl requests, unless you disable security plugin.

asfoorial · February 3, 2021, 3:37pm

It does respond to curl requests. Actually I just ran the below and got the HTTP response but without the HSTS header.

curl -XGET “https://localhost:9200” -u admin:admin -ik

Topic		Replies	Views
Continuing the discussion from [Strict-Transport-Security for opendistro](https://forum.opensearch.org/t/strict-transport-security-for-opendistro/4823) Security configure , feature-request , security-issue	1	44	September 11, 2024
How to configure .opendistro_security index with HTTP Open Source Elasticsearch and Kibana	1	761	November 13, 2020
Installation trouble General Feedback	2	377	April 19, 2021
How to enable http strict transport security (HSTS)? Security	1	716	February 23, 2023
Opendistro_security.ssl.http.enabled property Security	3	610	July 9, 2021