-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
X-Frame-Options or Content-Security:frame-ancestors HTTP Headers missing #5
Comments
Hi, Thanks |
So I don't see why these headers would make anything more secure in the context of the node-exporter. Then again, I get where these best practices come from. |
Yes, this should probably move over to the new http front-end library in exporter-toolkit. |
Hello, I'm facing the same "issue". In fact, security teams are always pointing this "vulnerability" because of PCI compliance. Now that TLS is supported, we need to maintain a reverse proxy only for those security headers that is painful. I agree that we would need a set of defaults ( or configurable headers) in the new front-end library. I would like to contribute if needed/possible. Thanks |
Following vulnerabilities about HTTP Security Headers Not Detected on on the node exporter endpoint port 9100 is creating issues, is there any plan for fixing this issue sooner? Really appreciate your response on this. The same issue is also mentioned in security audit report: https://prometheus.io/assets/downloads/2020-07-21--cure53_security_audit_node_exporter.pdf
|
We are seeing below errors as result of Qualys Scan QID 11827
X-Frame-Options or Content-Security:frame-ancestors HTTP Headers missing on port 9100
X-XSS-Protection HTTP Header missing on port 9100
X-Content-Type-Options HTTP Header missing on port 9100
Is there a security patch or some config change in Node Exporter to add below security headers ?
X-XSS-Protection
X-Content-Type-Options
Content-Security-Policy
X-Frame-Options
The text was updated successfully, but these errors were encountered: