-
Incident report
-
Resolution: Duplicate
-
Trivial
-
None
-
None
-
None
-
None
Zabbix sets the response header "Strict-Transport-Security" (unconfigurably) in two places.
In my opinion this is a very bad practice. There are a few ways of specifying this specific "security feature" and by defining it hard-coded in application code you take away flexibility from sysops.
An even worse side-effect of setting the header might result in the site not being accessible at all if, for whatever reasons, you need to disable SSL.
If you look at e.g. Mozilla's server configurator they recommend setting HSTS when configuring SSL, which in my experience is the responsibility of server admins.
Please consider removing such unconditionally set features and leave it to your sysop to configure.
Steps to reproduce:
- Install Zabbix
- Set header in server product of your choice
- Use curl to access Zabbix: "curl -vI https://your.site.monitoring"
Result:
Two headers in server response:
< strict-transport-security: max-age=31557600
{{ < strict-transport-security: max-age=31536000; includeSubDomains}}