Strict-Transport-Security for opendistro

Good day,

Is there a way to configure address RFC6797 vulnerability and force Strict-Transport-Security in the server headers?

I was able to do it in Kibana by including server.customResponseHeaders in kibana.yml

I was not able to find an equivalent configuration is elasticsearch. I was wondering if opendistro has such configuration?

Thanks,
Hasan

1 Like

@asfoorial

Elasticsearch in opendistro won’t response to HTTP curl requests, unless you disable security plugin.

It does respond to curl requests. Actually I just ran the below and got the HTTP response but without the HSTS header.

curl -XGET β€œhttps://localhost:9200” -u admin:admin -ik