search

thanos-io / thanos

Highly available Prometheus setup with long term storage capabilities. A CNCF Incubating project.
https://thanos.io
Apache License 2.0
12.91k stars 2.07k forks source link

HTTP Security Headers not implemented #6511

Open marioferh opened 1 year ago

marioferh commented 1 year ago

HTTP Security Headers are not implemented

HTTP headers let the client and the server pass additional information with an HTTP request or response. HTTP headers

In thanos there is a flag with http.config but does not include https://thanos.io/tip/operating/https.md/

Solution

Prometheus has similar flag that include http headers: https://prometheus.io/docs/prometheus/latest/configuration/https/

Implement headers.

Example:
        web: {
          httpConfig: {
            headers: {
              xFrameOptions: "DENY",
            },
          },
        },

Additional context

Prometheus http headers PR

Vanshikav123 commented 11 months ago

Can i work on this issue?

marioferh commented 11 months ago

@Vanshikav123 Hi sure, but we need feedback from other members to know if it is needed.

Vanshikav123 commented 10 months ago

Hello @yeya24 please confirm that if this is needed or not.

gavinmathias commented 6 months ago

I'd like to vote for this as well. I'm getting warnings from a Qualys security scanner https://success.qualys.com/support/s/article/000002924 about these missing HTTP response headers:

X-Content-Type-Options "nosniff" Strict-Transport-Security "max-age=31536000; includeSubDomains"