X-Frame-Options or Content-Security:frame-ancestors HTTP Headers missing #5
Comments
gitcubehub
changed the title
|
Hi, Thanks |
|
So I don't see why these headers would make anything more secure in the context of the node-exporter. Then again, I get where these best practices come from. |
|
Yes, this should probably move over to the new http front-end library in exporter-toolkit. |
roidelapluie
changed the title
|
Hello, I'm facing the same "issue". In fact, security teams are always pointing this "vulnerability" because of PCI compliance. Now that TLS is supported, we need to maintain a reverse proxy only for those security headers that is painful. I agree that we would need a set of defaults ( or configurable headers) in the new front-end library. I would like to contribute if needed/possible. Thanks |
|
Following vulnerabilities about HTTP Security Headers Not Detected on on the node exporter endpoint port 9100 is creating issues, is there any plan for fixing this issue sooner? Really appreciate your response on this. The same issue is also mentioned in security audit report: https://prometheus.io/assets/downloads/2020-07-21--cure53_security_audit_node_exporter.pdf
|
We are seeing below errors as result of Qualys Scan QID 11827
X-Frame-Options or Content-Security:frame-ancestors HTTP Headers missing on port 9100
X-XSS-Protection HTTP Header missing on port 9100
X-Content-Type-Options HTTP Header missing on port 9100
Is there a security patch or some config change in Node Exporter to add below security headers ?
X-XSS-Protection
X-Content-Type-Options
Content-Security-Policy
X-Frame-Options
The text was updated successfully, but these errors were encountered: