HSTS (http strict transport security) Disabled

[nouran majeed]

How to enable HSTS (http strict transport security) for Wazuh 4.3

[Himanshu Sharma]

Hi Nouran, 

Thanks for using Wazuh!Can you please update here what exactly you are trying to achieve here with Wazuhv4.3 you are using OpenSearch or Opendistro in this because to add strict transport settings, we need to add some configuration to OpenSearch or open distro yml files.So please let me know what exactly you are looking for?Regards
Himanshu Sharma

[nouran majeed]

Hi  Himanshu 

We are using opensearch for wazuh 4.3. When we doing nessus scan we are getting HSTS error for the host. (file attached)

[Valton T.]

Hi,

U can add that restriction into nginx conf file of your site or domain!

[Himanshu Sharma]

Hi Nouran,

Hope you are doing well!

To enable HSTS (http strict transport security), you can edit configuration file like below .

server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name _;
        return 301 https://$host$request_uri;
}
server {
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;
        ssl_certificate /etc/nginx/certificate/nginx-certificate.crt;
        ssl_certificate_key /etc/nginx/certificate/nginx.key;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
        root /var/www/html;
        index index.html index.htm index.nginx-debian.html;
        server_name _;
        location / {
                try_files $uri $uri/ =404;
        }
}

And to know more about HSTS Please go through with the following documantaion to enable HSTS (http strict transport security):

https://serverfault.com/questions/874936/adding-hsts-to-nginx-config
https://techexpert.tips/nginx/nginx-enable-hsts/

I hope it will resolve your queries.

Regards
Himanshu Sharma

[Aditya Sharma]

Hi Team,

I hope our last resolved your issue. Please let us know how it is working!

Regards
Aditya Sharma