What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
300.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Support for HSTS

Votes:

1

Your Vote:

Up

Down

Hi,

Is HSTS headers supported for the HTTP/HTTPS connectivity? e.g:

Name: strict-transport-security / Value: max-age=31536000; includeSubdomains; preload

Source:

Aston-J

hsts https prtg

Created on Oct 18, 2017 7:23:18 AM by  dehsinotsa (1) 1

Last change on Oct 18, 2017 10:37:27 AM by  Luciano Lingnau [Paessler]



15 Replies

Votes:

0

Your Vote:

Up

Down

Hello Aston, thank you for your reply

Would you mind elaborating? Are you attempting to monitor something that is hosted with HSTS? What exactly are you attempting to achieve?

Best Regards,
Luciano Lingnau [Paessler Support]

Created on Oct 18, 2017 10:38:39 AM by  Luciano Lingnau [Paessler]



Votes:

0

Your Vote:

Up

Down

Hi Luciano,

This is in regards to the web console access. If you log into PRTG from a browser and look at the HTTP headers there is none which exist for HSTS. I have looked for a way to enable this but I have not been successful. A similar setting (in regards to how the header is delivered) is x-frame-options which is editable on your solution with a windows registry edit on the webserver:

The reason I have noticed this is because HSTS is coming up as failed on a penetration test and I can not find any details on how to enable this feature on your solution.

If you need any more details or evidence then please let me know.

Many Thanks,

Aston-J

Created on Oct 23, 2017 7:45:08 AM by  dehsinotsa (1) 1

Last change on Oct 23, 2017 8:46:37 AM by  Luciano Lingnau [Paessler]



Votes:

0

Your Vote:

Up

Down

Hello Aston,
thank you for your reply and clarification.

Please allow me to check this with the corresponding development team. I'll update my reply as soon as I've heard back, please note however that this could take a couple of days depending on the team's schedule and availability.

Best Regards,
Luciano Lingnau [Paessler Support]

Created on Oct 23, 2017 8:49:41 AM by  Luciano Lingnau [Paessler]



Votes:

0

Your Vote:

Up

Down

Hello Aston,
thank you for your patience.

I'm able to confirm that this is not supported at the moment. I will raise an internal feature request for "support for customized HTTP headers", but at this time I'm unable to confirm whenever it will get implemented (i.e. If there's enough requests/interested users to justify the implementation effort).

Best Regards,
Luciano Lingnau [Paessler Support]

Created on Nov 1, 2017 9:06:54 AM by  Luciano Lingnau [Paessler]



Votes:

0

Your Vote:

Up

Down

Hi Luciano,

Thank you for the update. This issue appeared within a penetration test and a vulnerability assessment and I think it will come up more often but I understand that you have to wait until more customers report the issue.

Thanks, Aston-J

Created on Nov 6, 2017 11:44:44 AM by  dehsinotsa (1) 1



Votes:

0

Your Vote:

Up

Down

Hello. Was HSTS feature ever implemented? It comes up is a security assessment as a vulnerability.

Thanks

Created on Aug 8, 2019 8:40:56 PM by  NetworkCoreMailGroup (0)



Votes:

0

Your Vote:

Up

Down

Custom HTTP headers are planned for the new application server that is currently under development. It will take its time to arrive, though and there's no ETA on this.

Created on Aug 9, 2019 6:51:41 AM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Thanks for the reply. Just an FYI, this also came up in assessment:

Server information header exposed. Exposing information about the server version increases the ability of attackers to exploit certain vulnerabilities. The website configuration should be changed to prevent version information being revealed in the 'server' header.

Expected - Headers > server: [does not contain version number]

Actual - PRTG/19.2.50.2842

Created on Aug 9, 2019 3:24:02 PM by  NetworkCoreMailGroup (0)



Votes:

0

Your Vote:

Up

Down

The new application server will cover that aspect as well, thanks for the heads up! :)

Created on Aug 12, 2019 6:22:19 AM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

How is the status of this issue? The missing HSTS Header occurred in every pentest we did so far, therefore its quite annoying. Since HSTS is state of the art today, you really should consider to implement it.

Additionally you should merge this question with: 83259-implement-security-headers

One year and nothing happened so far...

Created on Feb 26, 2020 9:11:12 AM by  LKGS (0) 1



Votes:

0

Your Vote:

Up

Down

We have decided not to implemented this in the current version of PRTGs webserver anymore, but rather in its successor, which will still take some time to develop. I understand that this is causing intermediate issues. From what I can tell, it should be possible to use a reverse proxy like nginx and have HSTS headers passed on via the same? If I understand that correctly:

via mozilla
"When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header."

... it should work with a proper HTTPS certificate, from what I can tell. Worth a shot, or?

Created on Feb 26, 2020 9:36:03 AM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Is there any update on this, is HSTS supported now ?

Created on Apr 29, 2021 10:41:47 AM by  GeraldSchwarzer (0)



Votes:

0

Your Vote:

Up

Down

Hello Gerald,

As my colleague indicated above, we won't implement the HSTS header in the current webserver of PRTG but in its successor.


We have decided not to implemented this in the current version of PRTGs webserver anymore, but rather in its successor, which will still take some time to develop. I understand that this is causing intermediate issues. From what I can tell, it should be possible to use a reverse proxy like nginx and have HSTS headers passed on via the same? If I understand that correctly:

via mozilla "When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header."

... it should work with a proper HTTPS certificate, from what I can tell. Worth a shot, or?

Regards.

Created on Apr 29, 2021 11:25:45 AM by  Florian Lesage [Paessler Support]



Votes:

0

Your Vote:

Up

Down

This post was from February 2020 now we have 21, one year is gone, any timeframe for the sucessor

Created on Apr 29, 2021 2:11:56 PM by  GeraldSchwarzer (0)



Votes:

0

Your Vote:

Up

Down

I do understand that this request was asked a while ago however the development team has a lot to do regarding the successor which take time. We expect to make it public beginning of next year with limited features. Then, of course it will be improved progressively.

Regard.

Created on Apr 30, 2021 5:25:46 AM by  Florian Lesage [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.