21 Jun 2023 10:30 AM - edited 02 Oct 2023 08:03 AM
Security Team is asking to "enable HSTS" or is alerting that "HSTS is missing" or "Strict Transport Security Not Enforced" for Dynatarce ActiveGate or Managed or that the "Strict Transport Security header is not present in the response" for OneAgent.
Issue | Solution | Tasks | Alternative(s) |
---|---|---|---|
Security concern regarding HSTS (HTTP Strict Transport Security) for ActiveGate, Managed or OneAgent | Explain that HSTS is not applicable here - see below | Check below information and explain it to your Security Team | Submit a support ticket if you need additional details or you face a different scenario |
First of all, a quick recap of what the HSTS (HTTP Strict Transport Security) header is all about (taken from the RFC https://tools.ietf.org/html/rfc6797#section-2.2 or also explained on Wikipedia https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security).
If the HSTS header is set in an HTTPS response, the User Agent (= Browser) should from then on only use trusted HTTPS connections for all requests to the same host for the specified amount of time.
We do not support enabling HSTS on Dynatrace Managed cluster nodes or on ActiveGates.
HSTS is in general for public Internet servers, and in general, Dynatrace Managed cluster nodes are internal-only servers. User browsers should not be connecting directly to ActiveGates in most use cases, and certainly not as a primary connection.
Note: To avoid showing up in security scans, Dynatrace adds HSTS for those ActiveGate endpoints: Environment API v1, Environment API v2, Configuration API, State API (/rest/state, /rest/health).
As a last remark, the Dynatrace OneAgent is not aware of the HTTP server/app server configuration, so it doesn't know if HSTS is generally enabled or not. Actually, the Agent cannot know for sure, because this header could potentially also be added on another network device (reverse proxy, load balancer,...).
For this reason, OneAgent cannot add this header as it would tell the HTTP client to only send requests via HTTPS to this site from then on. This could potentially break the web application if it's not designed to serve all requests via HTTPS.
thanks for sharing,
for more clarification, is there is any way to enable HSTS for Dynatrace managed cluster?
We consider this a false positive alert because HSTS is in general for public Internet servers. Dynatrace Managed cluster nodes are considered internal-only servers. Thus, we do not support enabling HSTS on Dynatrace Managed cluster nodes.
Does this help?
Thanks for clarification , and yes for me its help, lets see how it goes with the security geeks