New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

200.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


[OPEN] HTTP Header Security

Votes:

3

Your Vote:

Up

Down


Want this feature implemented, too? Please upvote by clicking Thumbs up!

(Posts as a reply won't be published in this feature request thread. Read Me!)


User Story

Currently there are some security headers missing from the HTTP responses like Strict-Transport-Security, Content-Security-Policy, Referrer-Policy, Expect-CT and Feature-Policy. Also the version number should not be made public until logged on.

Details of User Story

These headers would increase security as they specify boundaries. Some headers should be configured by default and some should be configurable: Strict-Transport-Security - Should be a switch that can be turned on or off, if turned on includesubdomain parameter should be a choice to include. Content-Security-Policy - This should be done automatically as you guys know where all resource are going to be. Referrer-Policy - This should be a drop down menu with the options Expect-CT - This should be a switch that can be turned on or off. Feature-Policy - This should be done automatically as you guys know which features are used within PRTG. Server - This should not mention the version number.

Acceptance criteria

  • Strict-Transport-Security - [REQUIRED]
  • Content-Security-Policy - [REQUIRED]
  • Referrer-Policy - [OPTIONAL]
  • Expect-CT - [REQUIRED]
  • Feature-Policy - [OPTIONAL] as this is still in development
  • Server - [REQUIRED]

Status

Open

Additional Notes

The version number is already hidden, as per v19.4.54.1506:

PRTG does not show the current version number in HTTP headers anymore to improve security by not providing attackers potentially relevant information. For the same reason, the page footer of the web interface now only shows the version number on pages that require a logged in user account.

core-server http improve-prtg prtg-kbtracker

Created on Jan 9, 2020 4:45:25 PM by  Ralf Wanninkhof (17) 1

Last change on Jan 13, 2020 7:54:13 AM by  Stephan Linke [Paessler Support]



Replies

Nobody has replied yet

Why not be the first?

Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.