Splunk Enterprise Security

Why am I getting a warning when our systems are scanned by Qualys as a part of our deployment process?

Splunk Employee
Splunk Employee

Below is the report from Qualys, please help me work it around.

X-XSS-Protection HTTP Header missing on port 8089.
GET / HTTP/1.1
Host: splidx-5.mysplunk.com:8089
Connection: Keep-Alive
Content-Security-Policy HTTP Header missing on port 8089.
Strict-Transport-Security HTTP Header missing on port 8089.

1 Solution

Splunk Employee
Splunk Employee

Please try the below in the "server.conf"

[httpServer]
replyHeader.X-XSS-Protection= 1; mode=block
replyHeader.Content-Security-Policy = script-src 'self'; object-src 'self'
[sslConfig]
sendStrictTransportSecurityHeader=true

OR the easier way, you can consider to block scanner from connecting to the port..
acceptFrom = "list of server name or ip addresses to include all SHs/Deployer,Indexers/CM, HF, LM, Deployment Srver,127.0.0.1,.. "

Implementing this parameter needs thorough testing to ensure it doesn't break Splunk Services and make sure to include 127.0.0.1 this is mandatary.
https://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/Serverconf

for example, in server.conf,
*[httpServer]
acceptFrom = shd*.abc.com, idx*.abc.com, cm.abc.com,deployer.abc.com,LM.abc.com,127.0.0.1
*

View solution in original post

Splunk Employee
Splunk Employee

Please try the below in the "server.conf"

[httpServer]
replyHeader.X-XSS-Protection= 1; mode=block
replyHeader.Content-Security-Policy = script-src 'self'; object-src 'self'
[sslConfig]
sendStrictTransportSecurityHeader=true

OR the easier way, you can consider to block scanner from connecting to the port..
acceptFrom = "list of server name or ip addresses to include all SHs/Deployer,Indexers/CM, HF, LM, Deployment Srver,127.0.0.1,.. "

Implementing this parameter needs thorough testing to ensure it doesn't break Splunk Services and make sure to include 127.0.0.1 this is mandatary.
https://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/Serverconf

for example, in server.conf,
*[httpServer]
acceptFrom = shd*.abc.com, idx*.abc.com, cm.abc.com,deployer.abc.com,LM.abc.com,127.0.0.1
*

View solution in original post

Splunk Employee
Splunk Employee

If it's from UF then you can add the below to server.conf - The downside of having this in UF is, you may not be able to run REST call against the UF from the browsers on your laptop, which is frequently asked by Splunk Support during some troubleshooting.

[httpServer]
acceptFrom = 127.0.0.1

0 Karma