I'm guessing what's happened is: 1. You've run an (unnamed) security scanner against node_exporter 2. The scanner has come back with this message, telling you that node_exporter should return an STS header.
I'm saying that the scanner's conclusion is wrong. Firstly, node_exporter isn't a web server, and you don't connect to it with a web browser. Secondly, I don't know how you have configured node_exporter, but it can either serve HTTP (default) or HTTPS (*), on one port that you select. STS only makes sense for a website which has both HTTP and HTTPS endpoints, usually on the standard ports 80 and 443. It tells the browser always to select the HTTPS endpoint, and to remember this fact. node_exporter only provides one or the other, so (1) STS is meaningless, and (2) this is not a vulnerability in node_exporter. If you've configured node_exporter on HTTP, then there's no HTTPS port for STS to prefer. If you've configured node_exporter on HTTPS (and of course configured prometheus to scrape it on HTTPS), then there's no HTTP port for STS to stop you using. Regards, Brian. (*) TLS is available in node_exporter 1.0.0+: you need to set --web.config to point to a file which contains the tlsConfig settings. See https://github.com/prometheus/node_exporter#tls-endpoint A sample web.config file would look like this: tlsConfig: tlsCertPath: /etc/prometheus/ssl/prom_node_cert.pem tlsKeyPath: /etc/prometheus/ssl/prom_node_key.pem -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/d9292b98-2cda-418f-a06d-da946c08a39fn%40googlegroups.com.
