The advice is to disable this scan, as it doesn't apply to the node_exporter. It is a false positive.
Blindly accepting security scanner messages as truth is the problem. On Mon, Nov 30, 2020 at 7:01 AM Selvam Elangovan <[email protected]> wrote: > this what we got in scan: > > X-Content-Type-Options HTTP Header missing on port 9100. > X-Content-Type-Options HTTP Header missing on port 9100. > > Kindly advice how we can address in node_exporter. > > Thanks & Regards, > Selvam E. > > On Mon, Nov 30, 2020 at 11:12 AM Selvam Elangovan <[email protected]> > wrote: > >> however we could still access the endpoint 9100 withhost name in >> webbrowser. >> >> I understand that Strict-Transport-Security is used on web server to >> redirect the http to https by inserting that information in header so that >> the client connect using https instead of http. >> >> How I can justify this with security scanner? any help appreciated. >> >> On Tue, Nov 24, 2020 at 11:09 PM Selvam Elangovan <[email protected]> >> wrote: >> >>> Perfect. you are spot on. Thanks for your inputs. It helps us. >>> >>> Thanks & Regards, >>> Selvam E. >>> >>> On Tue, 24 Nov 2020, 23:00 [email protected], <[email protected]> >>> wrote: >>> >>>> I'm guessing what's happened is: >>>> 1. You've run an (unnamed) security scanner against node_exporter >>>> 2. The scanner has come back with this message, telling you that >>>> node_exporter should return an STS header. >>>> >>>> I'm saying that the scanner's conclusion is wrong. >>>> >>>> Firstly, node_exporter isn't a web server, and you don't connect to it >>>> with a web browser. >>>> >>>> Secondly, I don't know how you have configured node_exporter, but it >>>> can either serve HTTP (default) or HTTPS (*), on one port that you select. >>>> STS only makes sense for a website which has both HTTP and HTTPS endpoints, >>>> usually on the standard ports 80 and 443. It tells the browser always to >>>> select the HTTPS endpoint, and to remember this fact. >>>> >>>> node_exporter only provides one or the other, so (1) STS is >>>> meaningless, and (2) this is not a vulnerability in node_exporter. >>>> >>>> If you've configured node_exporter on HTTP, then there's no HTTPS port >>>> for STS to prefer. If you've configured node_exporter on HTTPS (and of >>>> course configured prometheus to scrape it on HTTPS), then there's no HTTP >>>> port for STS to stop you using. >>>> >>>> Regards, >>>> >>>> Brian. >>>> >>>> (*) TLS is available in node_exporter 1.0.0+: you need to >>>> set --web.config to point to a file which contains the tlsConfig settings. >>>> See https://github.com/prometheus/node_exporter#tls-endpoint >>>> >>>> A sample web.config file would look like this: >>>> >>>> tlsConfig: >>>> tlsCertPath: /etc/prometheus/ssl/prom_node_cert.pem >>>> tlsKeyPath: /etc/prometheus/ssl/prom_node_key.pem >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Prometheus Users" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/prometheus-users/d9292b98-2cda-418f-a06d-da946c08a39fn%40googlegroups.com >>>> <https://groups.google.com/d/msgid/prometheus-users/d9292b98-2cda-418f-a06d-da946c08a39fn%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- > You received this message because you are subscribed to the Google Groups > "Prometheus Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/prometheus-users/CAKhb3rujvca2uBaHH%3DMZ6ELpfyqQQo%2BDWOE_Yt7V7KFOS9iFqw%40mail.gmail.com > <https://groups.google.com/d/msgid/prometheus-users/CAKhb3rujvca2uBaHH%3DMZ6ELpfyqQQo%2BDWOE_Yt7V7KFOS9iFqw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/CABbyFmpEQAuguV%3D-8WNWsLS4KojNMmX4DdqaKiDyZ2NxNFJrRg%40mail.gmail.com.
