21 Jun 2023 10:30 AM - edited 02 Oct 2023 08:03 AM
Security Team is asking to "enable HSTS" or is alerting that "HSTS is missing" or "Strict Transport Security Not Enforced" for Dynatarce ActiveGate or Managed or that the "Strict Transport Security header is not present in the response" for OneAgent.
Issue | Solution | Tasks | Alternative(s) |
---|---|---|---|
Security concern regarding HSTS (HTTP Strict Transport Security) for ActiveGate, Managed or OneAgent | Explain that HSTS is not applicable here - see below | Check below information and explain it to your Security Team | Submit a support ticket if you need additional details or you face a different scenario |
First of all, a quick recap of what the HSTS (HTTP Strict Transport Security) header is all about (taken from the RFC https://tools.ietf.org/html/rfc6797#section-2.2 or also explained on Wikipedia https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security).
If the HSTS header is set in an HTTPS response, the User Agent (= Browser) should from then on only use trusted HTTPS connections for all requests to the same host for the specified amount of time.
We do not support enabling HSTS on Dynatrace Managed cluster nodes or on ActiveGates.
HSTS is in general for public Internet servers, and in general, Dynatrace Managed cluster nodes are internal-only servers. User browsers should not be connecting directly to ActiveGates in most use cases, and certainly not as a primary connection.
Note: To avoid showing up in security scans, Dynatrace adds HSTS for those ActiveGate endpoints: Environment API v1, Environment API v2, Configuration API, State API (/rest/state, /rest/health).
As a last remark, the Dynatrace OneAgent is not aware of the HTTP server/app server configuration, so it doesn't know if HSTS is generally enabled or not. Actually, the Agent cannot know for sure, because this header could potentially also be added on another network device (reverse proxy, load balancer,...).
For this reason, OneAgent cannot add this header as it would tell the HTTP client to only send requests via HTTPS to this site from then on. This could potentially break the web application if it's not designed to serve all requests via HTTPS.