Splunk Enterprise Security

Why am I getting a warning when our systems are scanned by Qualys as a part of our deployment process?

sylim_splunk
Splunk Employee
Splunk Employee

Below is the report from Qualys, please help me work it around.

X-XSS-Protection HTTP Header missing on port 8089.
GET / HTTP/1.1
Host: splidx-5.mysplunk.com:8089
Connection: Keep-Alive
Content-Security-Policy HTTP Header missing on port 8089.
Strict-Transport-Security HTTP Header missing on port 8089.

1 Solution

sylim_splunk
Splunk Employee
Splunk Employee

Please try the below in the "server.conf"

[httpServer]
replyHeader.X-XSS-Protection= 1; mode=block
replyHeader.Content-Security-Policy = script-src 'self'; object-src 'self'
[sslConfig]
sendStrictTransportSecurityHeader=true

OR the easier way, you can consider to block scanner from connecting to the port..
acceptFrom = "list of server name or ip addresses to include all SHs/Deployer,Indexers/CM, HF, LM, Deployment Srver,127.0.0.1,.. "

Implementing this parameter needs thorough testing to ensure it doesn't break Splunk Services and make sure to include 127.0.0.1 this is mandatary.
https://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/Serverconf

for example, in server.conf,
*[httpServer]
acceptFrom = shd*.abc.com, idx*.abc.com, cm.abc.com,deployer.abc.com,LM.abc.com,127.0.0.1
*

View solution in original post

sylim_splunk
Splunk Employee
Splunk Employee

Please try the below in the "server.conf"

[httpServer]
replyHeader.X-XSS-Protection= 1; mode=block
replyHeader.Content-Security-Policy = script-src 'self'; object-src 'self'
[sslConfig]
sendStrictTransportSecurityHeader=true

OR the easier way, you can consider to block scanner from connecting to the port..
acceptFrom = "list of server name or ip addresses to include all SHs/Deployer,Indexers/CM, HF, LM, Deployment Srver,127.0.0.1,.. "

Implementing this parameter needs thorough testing to ensure it doesn't break Splunk Services and make sure to include 127.0.0.1 this is mandatary.
https://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/Serverconf

for example, in server.conf,
*[httpServer]
acceptFrom = shd*.abc.com, idx*.abc.com, cm.abc.com,deployer.abc.com,LM.abc.com,127.0.0.1
*

sylim_splunk
Splunk Employee
Splunk Employee

If it's from UF then you can add the below to server.conf - The downside of having this in UF is, you may not be able to run REST call against the UF from the browsers on your laptop, which is frequently asked by Splunk Support during some troubleshooting.

[httpServer]
acceptFrom = 127.0.0.1

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...