Want this feature implemented, too? Please upvote by clicking Thumbs up!
(Posts as a reply won't be published in this feature request thread. Read Me!)
User Story
Currently there are some security headers missing from the HTTP responses like Strict-Transport-Security, Content-Security-Policy, Referrer-Policy, Expect-CT and Feature-Policy. Also the version number should not be made public until logged on.
Details of User Story
These headers would increase security as they specify boundaries. Some headers should be configured by default and some should be configurable: Strict-Transport-Security - Should be a switch that can be turned on or off, if turned on includesubdomain parameter should be a choice to include. Content-Security-Policy - This should be done automatically as you guys know where all resource are going to be. Referrer-Policy - This should be a drop down menu with the options Expect-CT - This should be a switch that can be turned on or off. Feature-Policy - This should be done automatically as you guys know which features are used within PRTG. Server - This should not mention the version number.
Acceptance criteria
- Strict-Transport-Security - [REQUIRED]
- Content-Security-Policy - [REQUIRED]
- Referrer-Policy - [OPTIONAL]
- Expect-CT - [REQUIRED]
- Feature-Policy - [OPTIONAL] as this is still in development
- Server - [REQUIRED]
Status
Open
Additional Notes
The version number is already hidden, as per v19.4.54.1506:
PRTG does not show the current version number in HTTP headers anymore to improve security by not providing attackers potentially relevant information. For the same reason, the page footer of the web interface now only shows the version number on pages that require a logged in user account.
Last change on Jan 13, 2020 7:54:13 AM by
