HTTP StrictTransport-Security header was not found in HTTP API responses

[udittyagi1994]

Vulnerabilities reported in security scan -
F 3.2
MEDIUM
Missing Cross-Frame Scripting Protection

Recommendation
A Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag on a malicious page. The attacker could use this weakness to devise a Clickjacking attack to conduct phishing, frame sniffing, social engineering or CrossSite Request Forgery attacks.
X-Frame-Options header should be present in header of each server response. It will inform web browsers whether it can be framed on certain sites. "X-FrameOptions" header must be present in every server response, including 404 Page Not Found or 500 Internal Server Error.

Missing HTTP StrictTransport-Security Header

Recommendation
HTTP StrictTransport-Security header was not found in HTTP responses.
Include HTTP StrictTransport-SecurityHeader into each server's HTTP response.

Fix required in RabbitMQ management plugin -

In a security audit in which we do a scan using tools like OWASP, Qualys and Nessus it came up in the scan report these vulnerabilities are related to headers that are missing in RabbitMQ management plugin URL. An application deployed over a server should have headers like the below :
Strict-Transport-Security:max-age=31536000; includeSubDomains
x-frame-options:SAMEORIGIN

Fix required in rabbitMQ management plugin for Strict-Transport-Security is : https://www.valencynetworks.com/kb/strict-transport-security-header-missing.html
To understand more on Cross Frame Click jacking vulnerability : https://owasp.org/www-community/attacks/Cross_Frame_Scripting

[michaelklishin]

@udittyagi1994 thanks. You should have privately reported this, what you did here is known as irresponsible disclosure. There is an email address (security at RabbitMQ domain) for that listed on the home page and on the Contact Us page. You also haven't provided any version details.

However, we will not delete this issue because there is nothing to fix. The user can set any value for

• HSTS
• CSP
• CORS

that they need.

@udittyagi1994 never ever report vulnerabilities, whether real or noise from automated scanners, publicly.

[michaelklishin]

and those settings first shipped in 3.7.9 in Nov 2018.

[udittyagi1994]

@michaelklishin, Thanks for letting me know, initially I raised a concern privately to a group only but there I was suggested to raise an issue here. and it's good to know these settings have been shipped as part of the 3.7.9 release.

I am using 3.8.8 version of RabbitMQ and trying to configure HSTS and Cross-origin settings for the management plugin, but unable to do so, Could you please let me know where exactly this needs to be configured. I have tried below but didn't work -

It is possible to configure what Strict Transport Security header value is used by HTTP API responses:
management.hsts.policy = max-age=31536000; includeSubDomains

I want this policy to be applied to rabbitmq management plugin but above setting is not supported when modified in etc/rabbitmq/rabbitmq.config file, Please help me understand if the format needs to be changed as my rabbitmq.config file is in a classic format.