Problem:
The nessus scan shows a vulnerability on port 8443 (foreman-proxy) and 8140 (puppetserver) because there is no HSTS header set.
Is there a option to set this header?
Expected outcome:
I expact the same header as on “https://myforeman.com:443/users/login”.
Strict-Transport-Security: max-age=631139040; includeSubdomains
Foreman and Proxy versions:
3.9.1
Foreman and Proxy plugin versions:
3.9.1
Distribution and version:
RHEL 8.9
Other relevant data:
For Puppetserver:
The port should not be used by Browsers as it is only Puppet communication requiring client certificates and not accessible to the public at all in most environment, I would agree to the statements I found online that there is no need for it.
For Foreman:
It would perhaps make sense, if you use an official certificate and not a self signed one. The puppetcode used has no option for this and so there is no option to set it directly. What should work would be dropping a line with the option to a file in /etc/httpd/conf.d/05-foreman-ssl.d/ as the headers module is already loaded and files are included in the virtual host.
Without any further step this file would be removed by the foreman-installer when executed, so you would need at least some custom hiera to prevent the deletion, but this could cause other issues.
So I would suggest trying the manual solution and if security is fine with it afterwards find a way to make it permanent. If you think others can benefit also from this the puppet-foreman module would be a good point for integration.
Like @Dirk said, Puppetserver and Foreman Proxy aren’t used by browsers so I see little value. For Puppetserver in particular it’s not even served over HTTP. Foreman Proxy by default isn’t served over HTTP, but can be configured to (and the foreman-proxy-content scenario enables this by default).
So what added value does it bring?
Unfortunately, in many cases, IT Security teams could care less about such things, they just want the blinkly light on the security scan report they give to management to go away.
I know that. It only creates overhead (because you send additional bytes over the network) just so some scanner shuts up. I can’t speak for puppetserver, but for Foreman Proxy I’d reject it.