HTTP Security Headers not implemented #6511

marioferh · 2023-07-07T13:27:38Z

HTTP headers let the client and the server pass additional information with an HTTP request or response. HTTP headers

In thanos there is a flag with http.config but does not include https://thanos.io/tip/operating/https.md/

Implement headers.

Example:
        web: {
          httpConfig: {
            headers: {
              xFrameOptions: "DENY",
            },
          },
        },

The text was updated successfully, but these errors were encountered:

Vanshikav123 · 2023-10-03T12:51:28Z

Can i work on this issue?

marioferh · 2023-10-03T14:00:52Z

@Vanshikav123 Hi sure, but we need feedback from other members to know if it is needed.

Vanshikav123 · 2023-10-05T05:12:07Z

Hello @yeya24 please confirm that if this is needed or not.

gavinmathias · 2024-02-01T20:45:48Z

I'd like to vote for this as well. I'm getting warnings from a Qualys security scanner
https://success.qualys.com/support/s/article/000002924
about these missing HTTP response headers:

X-Content-Type-Options "nosniff"
Strict-Transport-Security "max-age=31536000; includeSubDomains"

Provide feedback