however we could still access the endpoint 9100 withhost name in webbrowser.
I understand that Strict-Transport-Security is used on web server to redirect the http to https by inserting that information in header so that the client connect using https instead of http. How I can justify this with security scanner? any help appreciated. On Tue, Nov 24, 2020 at 11:09 PM Selvam Elangovan <[email protected]> wrote: > Perfect. you are spot on. Thanks for your inputs. It helps us. > > Thanks & Regards, > Selvam E. > > On Tue, 24 Nov 2020, 23:00 [email protected], <[email protected]> wrote: > >> I'm guessing what's happened is: >> 1. You've run an (unnamed) security scanner against node_exporter >> 2. The scanner has come back with this message, telling you that >> node_exporter should return an STS header. >> >> I'm saying that the scanner's conclusion is wrong. >> >> Firstly, node_exporter isn't a web server, and you don't connect to it >> with a web browser. >> >> Secondly, I don't know how you have configured node_exporter, but it can >> either serve HTTP (default) or HTTPS (*), on one port that you select. STS >> only makes sense for a website which has both HTTP and HTTPS endpoints, >> usually on the standard ports 80 and 443. It tells the browser always to >> select the HTTPS endpoint, and to remember this fact. >> >> node_exporter only provides one or the other, so (1) STS is meaningless, >> and (2) this is not a vulnerability in node_exporter. >> >> If you've configured node_exporter on HTTP, then there's no HTTPS port >> for STS to prefer. If you've configured node_exporter on HTTPS (and of >> course configured prometheus to scrape it on HTTPS), then there's no HTTP >> port for STS to stop you using. >> >> Regards, >> >> Brian. >> >> (*) TLS is available in node_exporter 1.0.0+: you need to >> set --web.config to point to a file which contains the tlsConfig settings. >> See https://github.com/prometheus/node_exporter#tls-endpoint >> >> A sample web.config file would look like this: >> >> tlsConfig: >> tlsCertPath: /etc/prometheus/ssl/prom_node_cert.pem >> tlsKeyPath: /etc/prometheus/ssl/prom_node_key.pem >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Prometheus Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/prometheus-users/d9292b98-2cda-418f-a06d-da946c08a39fn%40googlegroups.com >> <https://groups.google.com/d/msgid/prometheus-users/d9292b98-2cda-418f-a06d-da946c08a39fn%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/CAKhb3rv56fERH9BKuTUuSQ9cWqpRAqNOa%3D5B%3Dxsvx5OR%3D3pBBw%40mail.gmail.com.
