Educate users on HTTP security headers #97348
Labels
Feature:Hardening
Harding of Kibana from a security perspective
Team:Security
Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
In #52809 (PR: #97158) we introduced configuration properties for security response headers:
server.securityResponseHeaders.strictTransportSecurity
, default:null
(not enabled) ❌server.securityResponseHeaders.xContentTypeOptions
, default:'nosniff'
(enabled) ✅server.securityResponseHeaders.referrerPolicy
, default:'no-referrer-when-downgrade'
(enabled) ✅server.securityResponseHeaders.permissionsPolicy
, default:null
(not enabled) ❔server.securityResponseHeaders.disableEmbedding
, default:false
(not enabled, embedding is allowed) ❌Out of these, it would be good to change the default for
strictTransportSecurity
anddisableEmbedding
. I propose the following:strictTransportSecurity: max-age 31536000; includeSubDomains
disableEmbedding: true
At this point in time,
permissionsPolicy
is not yet implemented in most browsers, and the features that it can control do not appear to be well-defined. We may want to revisit this in the future when the benefits are clearer.The text was updated successfully, but these errors were encountered: