Strict-Transport-Security for opendistro

asfoorial · February 2, 2021, 3:19pm

Good day,

Is there a way to configure address RFC6797 vulnerability and force Strict-Transport-Security in the server headers?

I was able to do it in Kibana by including server.customResponseHeaders in kibana.yml

I was not able to find an equivalent configuration is elasticsearch. I was wondering if opendistro has such configuration?

Thanks,
Hasan

pablo · February 3, 2021, 10:46am

Elasticsearch in opendistro won’t response to HTTP curl requests, unless you disable security plugin.

asfoorial · February 3, 2021, 3:37pm

It does respond to curl requests. Actually I just ran the below and got the HTTP response but without the HSTS header.

curl -XGET “https://localhost:9200” -u admin:admin -ik

Topic		Replies	Views
How to configure .opendistro_security index with HTTP Open Source Elasticsearch and Kibana	1	670	November 13, 2020
How to enable http strict transport security (HSTS)? Security	1	487	February 23, 2023
Opendistro_security.ssl.http.enabled property Security	3	525	July 9, 2021
How can I send logs to elasticsearch without username and password. But with enabled security plugin Security	7	1414	August 25, 2021
SSL Woes with OpenDistro on Docker Security	6	1009	May 31, 2021