On 24/11/2020 17:30, [email protected] wrote:
I'm guessing what's happened is:
1. You've run an (unnamed) security scanner against node_exporter
2. The scanner has come back with this message, telling you that
node_exporter should return an STS header.
I'm saying that the scanner's conclusion is wrong.
Firstly, node_exporter isn't a web server, and you don't connect to it
with a web browser.
Secondly, I don't know how you have configured node_exporter, but it
can either serve HTTP (default) or HTTPS (*), on one port that you
select. STS only makes sense for a website which has both HTTP and
HTTPS endpoints, usually on the standard ports 80 and 443. It tells
the browser always to select the HTTPS endpoint, and to remember this
fact.
Technically it does still offer advantages for HTTPS only websites, as
it would prevent people from accessing things at all if HTTP was
actually enabled (either the site switched from just HTTPS to dual or
just HTTP, or something else tried to use the HTTP port [assuming 80/443
for a normal website]) and you tried to access the site. Therefore it
prevents some future (possibly nefarious) change from tripping you up.
But as you say that is pretty much irrelevant as Prometheus doesn't read
or obey the STS headers anyway, and access from a normal web browser is
fairly unusual or short lived (e.g. temporary tests & debugging).
--
You received this message because you are subscribed to the Google Groups
"Prometheus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/prometheus-users/cf1b899b-b8ff-a922-1f7a-45fdbce90a15%40Jahingo.com.
