Hi,
Our Nessus scanner returned new vulnerabilities on port 8443 for lxd
Do you have guide to to enable the The remote HTTPS server does not send the HTTP - “Strict-Transport-Security” header.
on which file I need to add ? < Thanks >
Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload” env=HTTPS
My understanding of Strict-Transport-Security is that it indicates to web browsers that future connections to that domain should always be done over HTTPS.
However LXD can only listen on HTTPS on the network, so there is no option of using HTTP.
If you don’t need LXD listening on the network you can disable that unsetting core.https_address (although this is needed for a cluster).
I don’t suppose adding the header would be an issue, but as I understand it, wouldn’t improve security.
Yeah, HSTS when running on a non-standard HTTPS port and not offering an HTTP port seems completely pointless to me. I have no idea why Nessus would even flag this on 8443.