[ZBX-14606] HSTS should not be set by Zabbix Created: 2018 Jul 13 Updated: 2024 Apr 10 Resolved: 2018 Dec 13 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Frontend (F) |
Affects Version/s: | 3.4.11 |
Fix Version/s: | 3.0.25rc1, 4.0.3rc1, 4.2.0alpha2, 4.2 (plan) |
Type: | Problem report | Priority: | Trivial |
Reporter: | Max Ried | Assignee: | Miks Kronkalns |
Resolution: | Fixed | Votes: | 1 |
Labels: | None | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified | ||
Environment: |
Apache2, Debian 9.4, official Debian repos. |
Attachments: | not-found.png |
Team: | Team B |
Sprint: | Sprint 46, Nov 2018, Sprint 47, Dec 2018 |
Story Points: | 0.125 |
Description |
Excuse me if I'm a little bit too harsh, I spent hours debugging this. This is about /include/page_header.php, line 134 to 137 on 3.4.11-1+stretch. Also have a look at On one hand it is useful to set the X-Frame-Options header, as this is application specific, and only the application developers know if the application has certain constraints and would not work if the header is set. On the other hand, HSTS is about the capabilities of the web server software, and not about the web application. Therefore HSTS is something that should never be done at application level. You also don't configure TLS certificates in Zabbix, but in your apache, nginx, whatever. This causes the following problems: 1) If your https is misconfigured, or has a self-signed certificate you effectively locked yourself out of your monitoring. 2) If you configured your server to provide HSTS headers, you get two and maybe even conflicting HSTS headers in your HTTP response, which violates RFC 6797, or makes you write exceptions for Zabbix in your httpd config. 3) This is hard to debug, as there seems to be no documentation of this behaviour at all. 4) It statically sets the max-age to 31557600 seconds, which is also not configurable.
Therefore HSTS headers should never be added by anyone but the web server. If you insist on Zabbix being able to add HSTS headers, you should seriously leave it disable as default, make it configurable, and document it. |
Comments |
Comment by Miks Kronkalns [ 2018 Nov 28 ] |
Fixed in:
|