Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Educate users on HTTP security headers #97348

Open
jportner opened this issue Apr 16, 2021 · 2 comments
Open

Educate users on HTTP security headers #97348

jportner opened this issue Apr 16, 2021 · 2 comments
Labels
Feature:Hardening Harding of Kibana from a security perspective Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@jportner
Copy link
Contributor

In #52809 (PR: #97158) we introduced configuration properties for security response headers:

  • server.securityResponseHeaders.strictTransportSecurity, default: null (not enabled) ❌
  • server.securityResponseHeaders.xContentTypeOptions, default: 'nosniff' (enabled) ✅
  • server.securityResponseHeaders.referrerPolicy, default: 'no-referrer-when-downgrade' (enabled) ✅
  • server.securityResponseHeaders.permissionsPolicy, default: null (not enabled) ❔
  • server.securityResponseHeaders.disableEmbedding, default: false (not enabled, embedding is allowed) ❌

Out of these, it would be good to change the default for strictTransportSecurity and disableEmbedding. I propose the following:

  • strictTransportSecurity: max-age 31536000; includeSubDomains
    • This has the potential to break other sites when Kibana is hosted via HTTPS on a domain, and other websites are hosted HTTP-only on the same domain (or subdomains). In that case, users will be unable to access the HTTP-only websites after receiving this header from Kibana. If this did occur, end-users can clear their browser settings for HSTS, but at this point in time it is not clear how to do so when you encounter an error.
  • disableEmbedding: true
    • This has the potential to break Kibana usage when Kibana is being embedded in other pages -- it would prevent Kibana from functioning when embedded in a different website. We do not yet have usage data to estimate how many users this will impact.

At this point in time, permissionsPolicy is not yet implemented in most browsers, and the features that it can control do not appear to be well-defined. We may want to revisit this in the future when the benefits are clearer.
@jportner jportner added Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v8.0.0 Breaking Change labels Apr 16, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@jportner jportner mentioned this issue Apr 16, 2021
Merged
@jportner jportner changed the title Set secure defaults for security response headers Set secure defaults for HTTP security headers Apr 16, 2021
@legrego legrego changed the title Set secure defaults for HTTP security headers Educate secure defaults for HTTP security headers Jun 16, 2021
@jportner
Copy link
Contributor Author

Changing the default headers is potentially too disruptive for users, and we don't have a great way to display useful errors / help users fix these problems in failure scenarios.

A better alternative would be to display a prominent warning in a Security Checkup screen and tell them to set these headers.

@jportner jportner changed the title Educate secure defaults for HTTP security headers Educate users on HTTP security headers Jun 16, 2021
@exalate-issue-sync exalate-issue-sync bot added impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. loe:small Small Level of Effort labels Aug 5, 2021
@legrego legrego removed EnableJiraSync loe:small Small Level of Effort impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. labels Aug 18, 2022
@legrego legrego added the Feature:Hardening Harding of Kibana from a security perspective label Jan 13, 2023
@legrego legrego mentioned this issue Feb 10, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature:Hardening Harding of Kibana from a security perspective Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@legrego @jportner @elasticmachine