Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-15126

Response header "Strict-Transport-Security" is always set

XMLWordPrintable

    • Icon: Incident report Incident report
    • Resolution: Duplicate
    • Icon: Trivial Trivial
    • None
    • None
    • None
    • None

      Zabbix sets the response header "Strict-Transport-Security" (unconfigurably) in two places.

      In my opinion this is a very bad practice. There are a few ways of specifying this specific "security feature" and by defining it hard-coded in application code you take away flexibility from sysops.

      An even worse side-effect of setting the header might result in the site not being accessible at all if, for whatever reasons, you need to disable SSL.

      If you look at e.g. Mozilla's server configurator they recommend setting HSTS when configuring SSL, which in my experience is the responsibility of server admins.

       

      Please consider removing such unconditionally set features and leave it to your sysop to configure.

       

      Steps to reproduce:

      Result:

      Two headers in server response:

      < strict-transport-security: max-age=31557600
      {{ < strict-transport-security: max-age=31536000; includeSubDomains}}

            Unassigned Unassigned
            Hofbauer Alex Hofbauer
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: