About HSTS on CDF ports

  • KM03741303
  • 05-Oct-2020
  • 05-Oct-2020

This document has not been formally reviewed for accuracy and is provided "as is" for your convenience.

Summary

HSTS

Question

 While scanning the ports’ (like 8443, 5000, 8200) vulnerabilities, such message is returned

"HSTS Missing From HTTPS Server"

 

All the services (8443: K8s apiserver, 8200: vault, 5000: local registry) are https-only services that don’t have an http listener and with that, so no need to set HSTS.

Localhost:5000 is the local docker image registry – in newer versions of CDF like 2019.11, it is constrained to TLS1.2 (standard list of strong ciphers)