Enable HTTP Strict Transport Security (HSTS) for port 4443

[Jamal Nasir]

Does anyone know how to enable HSTS for port 4443 for rundeck? I have been playing around with the rundeck-config.properties and added the following without success (a restart was issued of course):

# You can specify an explicit policy, which will override directives declared below

#

# enable any custom additional headers (default: false)

#

rundeck.security.httpHeaders.provider.custom.enabled=true

rundeck.security.httpHeaders.provider.custom.config.name=Strict-Transport-Security

rundeck.security.httpHeaders.provider.custom.config.value=Strict-Transport-Security "max-age=63072000; includeSubDomains";

Does anyone know the proper setting to enable HSTS? This is a security finding via a Nessus scan that needs to be addressed. Thank You. 

[rac...@rundeck.com]

Hi Jamal,

Maybe the best approach is to leave that (and SSL stuff) to an external Load Balancer/Web Server in front of Rundeck like this or this. Also, take a look at this.

Regards!

[Jamal Nasir]

Hi, 

I managed to resolve this just now. I did end doing reverse proxy using a apache webserver. I then disabled port 4443 from the firewalld settings on RHEL 7 to prevent that port from being accessible publicly. The scanner is no longer showing this as a finding for port 4443. On port 443, I was able to enable HSTS in the apache conf file. Thank You.  

--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/c759ce62-9c0c-4bf0-a1ce-2fbf6f81a177n%40googlegroups.com.