What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags

View all Tags

[OPEN] HTTP Header Security



Want this feature implemented, too? Please upvote by clicking Thumbs up!

(Posts as a reply won't be published in this feature request thread. Read Me!)

User Story

Currently there are some security headers missing from the HTTP responses like Strict-Transport-Security, Content-Security-Policy, Referrer-Policy, Expect-CT and Feature-Policy. Also the version number should not be made public until logged on.

Details of User Story

These headers would increase security as they specify boundaries. Some headers should be configured by default and some should be configurable: Strict-Transport-Security - Should be a switch that can be turned on or off, if turned on includesubdomain parameter should be a choice to include. Content-Security-Policy - This should be done automatically as you guys know where all resource are going to be. Referrer-Policy - This should be a drop down menu with the options Expect-CT - This should be a switch that can be turned on or off. Feature-Policy - This should be done automatically as you guys know which features are used within PRTG. Server - This should not mention the version number.

Acceptance criteria

  • Strict-Transport-Security - [REQUIRED]
  • Content-Security-Policy - [REQUIRED]
  • Referrer-Policy - [OPTIONAL]
  • Expect-CT - [REQUIRED]
  • Feature-Policy - [OPTIONAL] as this is still in development
  • Server - [REQUIRED]



Additional Notes

The version number is already hidden, as per v19.4.54.1506:

PRTG does not show the current version number in HTTP headers anymore to improve security by not providing attackers potentially relevant information. For the same reason, the page footer of the web interface now only shows the version number on pages that require a logged in user account.

core-server http improve-prtg prtg-kbtracker

Created on Jan 9, 2020 4:45:25 PM

Last change on Jan 13, 2020 7:54:13 AM by  Stephan Linke [Paessler Support]


Nobody has replied yet

Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.