this what we got in scan: X-Content-Type-Options HTTP Header missing on port 9100. X-Content-Type-Options HTTP Header missing on port 9100.
Kindly advice how we can address in node_exporter. Thanks & Regards, Selvam E. On Mon, Nov 30, 2020 at 11:12 AM Selvam Elangovan <[email protected]> wrote: > however we could still access the endpoint 9100 withhost name in > webbrowser. > > I understand that Strict-Transport-Security is used on web server to > redirect the http to https by inserting that information in header so that > the client connect using https instead of http. > > How I can justify this with security scanner? any help appreciated. > > On Tue, Nov 24, 2020 at 11:09 PM Selvam Elangovan <[email protected]> > wrote: > >> Perfect. you are spot on. Thanks for your inputs. It helps us. >> >> Thanks & Regards, >> Selvam E. >> >> On Tue, 24 Nov 2020, 23:00 [email protected], <[email protected]> >> wrote: >> >>> I'm guessing what's happened is: >>> 1. You've run an (unnamed) security scanner against node_exporter >>> 2. The scanner has come back with this message, telling you that >>> node_exporter should return an STS header. >>> >>> I'm saying that the scanner's conclusion is wrong. >>> >>> Firstly, node_exporter isn't a web server, and you don't connect to it >>> with a web browser. >>> >>> Secondly, I don't know how you have configured node_exporter, but it can >>> either serve HTTP (default) or HTTPS (*), on one port that you select. STS >>> only makes sense for a website which has both HTTP and HTTPS endpoints, >>> usually on the standard ports 80 and 443. It tells the browser always to >>> select the HTTPS endpoint, and to remember this fact. >>> >>> node_exporter only provides one or the other, so (1) STS is meaningless, >>> and (2) this is not a vulnerability in node_exporter. >>> >>> If you've configured node_exporter on HTTP, then there's no HTTPS port >>> for STS to prefer. If you've configured node_exporter on HTTPS (and of >>> course configured prometheus to scrape it on HTTPS), then there's no HTTP >>> port for STS to stop you using. >>> >>> Regards, >>> >>> Brian. >>> >>> (*) TLS is available in node_exporter 1.0.0+: you need to >>> set --web.config to point to a file which contains the tlsConfig settings. >>> See https://github.com/prometheus/node_exporter#tls-endpoint >>> >>> A sample web.config file would look like this: >>> >>> tlsConfig: >>> tlsCertPath: /etc/prometheus/ssl/prom_node_cert.pem >>> tlsKeyPath: /etc/prometheus/ssl/prom_node_key.pem >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Prometheus Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/prometheus-users/d9292b98-2cda-418f-a06d-da946c08a39fn%40googlegroups.com >>> <https://groups.google.com/d/msgid/prometheus-users/d9292b98-2cda-418f-a06d-da946c08a39fn%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/CAKhb3rujvca2uBaHH%3DMZ6ELpfyqQQo%2BDWOE_Yt7V7KFOS9iFqw%40mail.gmail.com.
