Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  2. ZBX-14606

HSTS should not be set by Zabbix


    • Sprint 46, Nov 2018, Sprint 47, Dec 2018
    • 0.125

      Excuse me if I'm a little bit too harsh, I spent hours debugging this.

      This is about /include/page_header.php, line 134 to 137 on 3.4.11-1+stretch. Also have a look at ZBX-13133

      On one hand it is useful to set the X-Frame-Options header, as this is application specific, and only the application developers know if the application has certain constraints and would not work if the header is set. On the other hand, HSTS is about the capabilities of the web server software, and not about the web application.

      Therefore HSTS is something that should never be done at application level. You also don't configure TLS certificates in Zabbix, but in your apache, nginx, whatever. This causes the following problems:

      1) If your https is misconfigured, or has a self-signed certificate you effectively locked yourself out of your monitoring. 

      2) If you configured your server to provide HSTS headers, you get two and maybe even conflicting HSTS headers in your HTTP response, which violates RFC 6797, or makes you write exceptions for Zabbix in your httpd config.

      3) This is hard to debug, as there seems to be no documentation of this behaviour at all.

      4) It statically sets the max-age to 31557600 seconds, which is also not configurable.


      Therefore HSTS headers should never be added by anyone but the web server. If you insist on Zabbix being able to add HSTS headers, you should seriously leave it disable as default, make it configurable, and document it.

            Miks.Kronkalns Miks Kronkalns
            maxried@posteo.de Max Ried
            Team B
            1 Vote for this issue
            7 Start watching this issue