Splunk Enterprise Security

Why am I getting a warning when our systems are scanned by Qualys as a part of our deployment process?

sylim_splunk
Splunk Employee
Splunk Employee

Below is the report from Qualys, please help me work it around.

X-XSS-Protection HTTP Header missing on port 8089.
GET / HTTP/1.1
Host: splidx-5.mysplunk.com:8089
Connection: Keep-Alive
Content-Security-Policy HTTP Header missing on port 8089.
Strict-Transport-Security HTTP Header missing on port 8089.

1 Solution

sylim_splunk
Splunk Employee
Splunk Employee

Please try the below in the "server.conf"

[httpServer]
replyHeader.X-XSS-Protection= 1; mode=block
replyHeader.Content-Security-Policy = script-src 'self'; object-src 'self'
[sslConfig]
sendStrictTransportSecurityHeader=true

OR the easier way, you can consider to block scanner from connecting to the port..
acceptFrom = "list of server name or ip addresses to include all SHs/Deployer,Indexers/CM, HF, LM, Deployment Srver,127.0.0.1,.. "

Implementing this parameter needs thorough testing to ensure it doesn't break Splunk Services and make sure to include 127.0.0.1 this is mandatary.
https://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/Serverconf

for example, in server.conf,
*[httpServer]
acceptFrom = shd*.abc.com, idx*.abc.com, cm.abc.com,deployer.abc.com,LM.abc.com,127.0.0.1
*

View solution in original post

sylim_splunk
Splunk Employee
Splunk Employee

Please try the below in the "server.conf"

[httpServer]
replyHeader.X-XSS-Protection= 1; mode=block
replyHeader.Content-Security-Policy = script-src 'self'; object-src 'self'
[sslConfig]
sendStrictTransportSecurityHeader=true

OR the easier way, you can consider to block scanner from connecting to the port..
acceptFrom = "list of server name or ip addresses to include all SHs/Deployer,Indexers/CM, HF, LM, Deployment Srver,127.0.0.1,.. "

Implementing this parameter needs thorough testing to ensure it doesn't break Splunk Services and make sure to include 127.0.0.1 this is mandatary.
https://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/Serverconf

for example, in server.conf,
*[httpServer]
acceptFrom = shd*.abc.com, idx*.abc.com, cm.abc.com,deployer.abc.com,LM.abc.com,127.0.0.1
*

sylim_splunk
Splunk Employee
Splunk Employee

If it's from UF then you can add the below to server.conf - The downside of having this in UF is, you may not be able to run REST call against the UF from the browsers on your laptop, which is frequently asked by Splunk Support during some troubleshooting.

[httpServer]
acceptFrom = 127.0.0.1

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...