Support for HSTS

Hello Aston, thank you for your reply

Would you mind elaborating? Are you attempting to monitor something that is hosted with HSTS? What exactly are you attempting to achieve?

Best Regards,
Luciano Lingnau [Paessler Support]

Hi Luciano,

This is in regards to the web console access. If you log into PRTG from a browser and look at the HTTP headers there is none which exist for HSTS. I have looked for a way to enable this but I have not been successful. A similar setting (in regards to how the header is delivered) is x-frame-options which is editable on your solution with a windows registry edit on the webserver:

• How can I prevent other pages from loading PRTG in a frame?

The reason I have noticed this is because HSTS is coming up as failed on a penetration test and I can not find any details on how to enable this feature on your solution.

If you need any more details or evidence then please let me know.

Many Thanks,

Aston-J

Hello Aston,
thank you for your reply and clarification.

Please allow me to check this with the corresponding development team. I'll update my reply as soon as I've heard back, please note however that this could take a couple of days depending on the team's schedule and availability.

Best Regards,
Luciano Lingnau [Paessler Support]

Hello Aston,
thank you for your patience.

I'm able to confirm that this is not supported at the moment. I will raise an internal feature request for "support for customized HTTP headers", but at this time I'm unable to confirm whenever it will get implemented (i.e. If there's enough requests/interested users to justify the implementation effort).

Best Regards,
Luciano Lingnau [Paessler Support]

Hi Luciano,

Thank you for the update. This issue appeared within a penetration test and a vulnerability assessment and I think it will come up more often but I understand that you have to wait until more customers report the issue.

Thanks, Aston-J

Hello. Was HSTS feature ever implemented? It comes up is a security assessment as a vulnerability.

Thanks

Custom HTTP headers are planned for the new application server that is currently under development. It will take its time to arrive, though and there's no ETA on this.

Thanks for the reply. Just an FYI, this also came up in assessment:

Server information header exposed. Exposing information about the server version increases the ability of attackers to exploit certain vulnerabilities. The website configuration should be changed to prevent version information being revealed in the 'server' header.

Expected - Headers > server: [does not contain version number]

Actual - PRTG/19.2.50.2842

The new application server will cover that aspect as well, thanks for the heads up! :)

How is the status of this issue? The missing HSTS Header occurred in every pentest we did so far, therefore its quite annoying. Since HSTS is state of the art today, you really should consider to implement it.

Additionally you should merge this question with: 83259-implement-security-headers

One year and nothing happened so far...

We have decided not to implemented this in the current version of PRTGs webserver anymore, but rather in its successor, which will still take some time to develop. I understand that this is causing intermediate issues. From what I can tell, it should be possible to use a reverse proxy like nginx and have HSTS headers passed on via the same? If I understand that correctly:

via mozilla
"When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header."

... it should work with a proper HTTPS certificate, from what I can tell. Worth a shot, or?

Is there any update on this, is HSTS supported now ?

Hello Gerald,

As my colleague indicated above, we won't implement the HSTS header in the current webserver of PRTG but in its successor.

We have decided not to implemented this in the current version of PRTGs webserver anymore, but rather in its successor, which will still take some time to develop. I understand that this is causing intermediate issues. From what I can tell, it should be possible to use a reverse proxy like nginx and have HSTS headers passed on via the same? If I understand that correctly:

via mozilla "When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header."

... it should work with a proper HTTPS certificate, from what I can tell. Worth a shot, or?

Regards.

This post was from February 2020 now we have 21, one year is gone, any timeframe for the sucessor

I do understand that this request was asked a while ago however the development team has a lot to do regarding the successor which take time. We expect to make it public beginning of next year with limited features. Then, of course it will be improved progressively.

Regard.

Dear Paessler,

Vulnerability and penetration scan shows medium severity "HTTP strict transport security Check" HTTP strict transport security disabled and HTTP Security Header Not Detected

I think you and your developer should consider this request.

Hello Mang,

Thank you for your message.

Regarding the HSTS header, it won't be available with the current web interface. Nevertheless, it will be possible to add it for the new web interface our developers are working on. Please, note that this won't be the case at the beginning however it is planned to provide the possibility to add custom HTTP headers.

Regards.

Good day.

Any progress?

Why 1268 days was not enough for develop this feature?

Hello,

The request is on our side and was reviewed by our product owners. Nevertheless, after multiple discussions and due to technical reasons regarding the current web server, our focus is on the new PRTG web interface which will bring more security including the protocol TLS 1.3. The development team will provide the possibility to add custom HTTP headers there including HSTS.

Regards.

Hello ,

Any progress on this topic ? Our security scanner report "HSTS Missing From HTTPS Server (RFC 6797)" on the PRTG web server Port 443.

I see that last reply was 6 Month Ago.

Regards

Hello,

Thank you for your message.

Regarding the HTTP header HSTS, I'm afraid that there is no update about it as it won't be available for the current interface of PRTG (mentioned above).

It can be used with the new interface we are working on (which also uses TLS 1.3 for more security) however we still have some work to provide the basic features set there: https://kb.paessler.com/en/topic/90008-i-want-to-use-the-new-ui-and-new-api-what-do-i-need-to-know.

If you need to implement it for the current interface, I invite you to configure a reverse proxy in front of PRTG. This way, you will be able to add the HTTP headers you desire.

Regards.

Seems this topic comes up every few months. Like the other commenters this came up on a penetration test. Which "new" version is being referred to here that this will be implemented? I'm currently on 22.4.81.1532+ which is latest as of this comment today.

Hello Jared,
I'm afraid to tell you that there's no ETA yet.

I'd like to also vote the importance of this functionality. It is not very satisfying having such an issue for so long, and there seams still not be any ETA on the "new version" (whatever that may mean).

This is no longer a feature request, this is a prequesite to be allowed to have your product running in production.

Hope the new version may arrive soon.