Telegraf: HTTP Listener v2 Input Plugin extra http headers setting

Created on 24 Sep 2020  路  7Comments  路  Source: influxdata/telegraf

Feature Request

I have security issue that telegraf agent with HTTP Listener v2 Input Plugin does not have HSTS:
The remote HTTPS server does not send the HTTP
"Strict-Transport-Security" header.

Proposal:

plugin has feature as others (i.e. HTTP Input Plugin) which allow set extra http headers

Optional HTTP headers

# headers = {"X-Special-Header" = "Special-Value"}

feature request
Source
picture kadma1

Most helpful comment

Lack of HSTS on listener port is treated as vulnerability (maybe in my firm only) . It is just example of using headers, leave it :). Feature will allow users more configuration and control.

picture kadma1 on 28 Sep 2020
👍2

All 7 comments

@darinfisher do you mind chiming in if not having HSTS is a common security issue those using inputs.http_listener_v2 would encounter?

sjwang90 picture sjwang90 on 25 Sep 2020
👀1

I am not sure that I correct understood your question. Lack of set HSTS in HTTP Listener v2 Input is security issue. I can cover this gap by adding extra header . That works in nginx configuration.
I mean something like below:
http_headers = {"Strict-Transport-Security" = "max-age=31536000; includeSubDomains"}

kadma1 picture kadma1 on 25 Sep 2020

@sjwang90 HSTS is not needed for this plugin as HSTS is useful for web sites accessed via a browser. HSTS helps to mitigate man in the middle attacks using redirected access from an original insecure (HTTP) connection,聽including click-through links.
Service to service and server to server HTTPS should not be concerned with this vulnerability and configured to only maintain secure connections.
Configuring the server headers to announce HSTS should not have any effect on usage or security.
See RFC 6797 - HTTP Strict Transport Security (HSTS)

darinfisher picture darinfisher on 25 Sep 2020

Allowing the user to configure custom server headers is probably a good idea.
This would allow the user more control. Allowing the user to configure 'Strict-Transport-Security' is a simple solution for audits and does not effect the service.

darinfisher picture darinfisher on 25 Sep 2020

Lack of HSTS on listener port is treated as vulnerability (maybe in my firm only) . It is just example of using headers, leave it :). Feature will allow users more configuration and control.

kadma1 picture kadma1 on 28 Sep 2020
👍2

Lack of HSTS on listener port is treated as vulnerability (maybe in my firm only) . It is just example of using headers, leave it :). Feature will allow users more configuration and control.

Any company using Nessus Vulnerability scanning would have this as a finding which is also true in my case.
Since Telegraf provides web server capabilities it would be only logical to be able to configure HTTP headers.

eceglov picture eceglov on 9 Oct 2020

Funny enough InfluxDB allows to configure user-supplied HTTP response headers https://docs.influxdata.com/influxdb/v1.8/administration/config/#http-headers

I believe here it's not that much different.

eceglov picture eceglov on 9 Oct 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

veerendra2 picture veerendra2  路  3Comments
efficks picture efficks  路  3Comments
robert-gomes picture robert-gomes  路  3Comments
aihysp picture aihysp  路  3Comments
yn1v picture yn1v  路  3Comments