Node Exporter | Add security headers
480 views
Skip to first unread message
Chandra Sekar K R
Oct 16, 2017, 10:00:02 AM10/16/17
to Prometheus Users
Hi,
Node exporter does not explicitly set several security headers listed below, unlike Prometheus. Is there a way to add below security headers, apart from patching the code ?
X-XSS-Protection
X-Content-Type-Options
Content-Security-Policy
X-Frame-Options
Warm Regards, Chandra Sekar KR
Brian Brazil
Oct 16, 2017, 10:17:52 AM10/16/17
to Chandra Sekar K R, Prometheus Users
Why would these make a difference security wise? The node exporter doesn't have any UI.
Brian Brazil
Chandra Sekar K R
Oct 16, 2017, 2:41:09 PM10/16/17
to Prometheus Users
The below findings were reported during automated code security audit on Node exporter. Per audit team, since node exporter is rendering a web page (although, read-only metrics), modifying http headers to include below security options are mandatory. Please advise, if the headers can be added by modifying node exporter source.
Brian Brazil
Oct 16, 2017, 3:59:57 PM10/16/17
to Chandra Sekar K R, Prometheus Users
On 16 October 2017 at 19:41, Chandra Sekar K R <chandra...@gmail.com> wrote:
The below findings were reported during automated code security audit on Node exporter. Per audit team, since node exporter is rendering a web page (although, read-only metrics), modifying http headers to include below security options are mandatory. Please advise, if the headers can be added by modifying node exporter source.
That's your internal policy, it doesn't make sense for Prometheus exporters are they're non-mutating and not meant to be used via Javascript. See https://prometheus.io/docs/operating/security/ for our general approach to security, and what you should be worrying about.
Brian
On Monday, October 16, 2017 at 7:47:52 PM UTC+5:30, Brian Brazil wrote:On 16 October 2017 at 15:00, Chandra Sekar K R <chandra...@gmail.com> wrote:Hi,Node exporter does not explicitly set several security headers listed below, unlike Prometheus. Is there a way to add below security headers, apart from patching the code ?X-XSS-ProtectionX-Content-Type-OptionsContent-Security-PolicyX-Frame-OptionsWhy would these make a difference security wise? The node exporter doesn't have any UI.--Brian Brazil
--
You received this message because you are subscribed to the Google Groups "Prometheus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-users+unsubscribe@googlegroups.com.
To post to this group, send email to prometheus-users@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/253d82a2-cba9-48d0-a60b-4a61b6f8a324%40googlegroups.com.
Brian Brazil
Reply all
Reply to author
Forward
0 new messages