cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
stefanie_pachne
Dynatrace Organizer
Dynatrace Organizer

Self Service Summary

 

Security Team is asking to "enable HSTS" or is alerting that "HSTS is missing" or "Strict Transport Security Not Enforced" for Dynatarce ActiveGate or Managed or that the "Strict Transport Security header is not present in the response" for OneAgent.

 

Issue Solution Tasks Alternative(s)
Security concern regarding HSTS (HTTP Strict Transport Security) for ActiveGate, Managed or OneAgent Explain that HSTS is not applicable here - see below Check below information and explain it to your Security Team Submit a support ticket if you need additional details or you face a different scenario

 

First of all, a quick recap of what the HSTS (HTTP Strict Transport Security) header is all about (taken from the RFC https://tools.ietf.org/html/rfc6797#section-2.2 or also explained on Wikipedia https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security).

If the HSTS header is set in an HTTPS response, the User Agent (= Browser) should from then on only use trusted HTTPS connections for all requests to the same host for the specified amount of time.
 
We do not support enabling HSTS on Dynatrace Managed cluster nodes or on ActiveGates.

HSTS is in general for public Internet servers, and in general, Dynatrace Managed cluster nodes are internal-only servers. User browsers should not be connecting directly to ActiveGates in most use cases, and certainly not as a primary connection.
Note: To avoid showing up in security scans, Dynatrace adds HSTS for those ActiveGate endpoints: Environment API v1, Environment API v2, Configuration API, State API (/rest/state, /rest/health).

As a last remark, the Dynatrace OneAgent is not aware of the HTTP server/app server configuration, so it doesn't know if HSTS is generally enabled or not. Actually, the Agent cannot know for sure, because this header could potentially also be added on another network device (reverse proxy, load balancer,...).
For this reason, OneAgent cannot add this header as it would tell the HTTP client to only send requests via HTTPS to this site from then on. This could potentially break the web application if it's not designed to serve all requests via HTTPS.

Version history
Last update:
‎02 Oct 2023 08:03 AM
Updated by:
Comments
ChadTurner
DynaMight Legend
DynaMight Legend

Thank you @stefanie_pachne for sharing this! 

DanielS
DynaMight Guru
DynaMight Guru

Bookmarked, thanks for this.

Romanenkov_Al3x
DynaMight Champion
DynaMight Champion

Thanks for sharing. 

IslamEsmail
Contributor

thanks for sharing,

for more clarification, is there is any way to enable HSTS for Dynatrace managed cluster?

stefanie_pachne
Dynatrace Organizer
Dynatrace Organizer

@IslamEsmail

We consider this a false positive alert because HSTS is in general for public Internet servers. Dynatrace Managed cluster nodes are considered internal-only servers. Thus, we do not support enabling HSTS on Dynatrace Managed cluster nodes.

Does this help?

IslamEsmail
Contributor

@stefanie_pachne 

Thanks for clarification , and yes for me its help, lets see how it goes with the security geeks