Security warnings due to missing HSTS response headers

Puppet Enterprise (PE) does not implement HTTP Strict Transport Security (HSTS) in response headers because the ports used by PE are not open to the internet. However, your security system might flag HSTS response headers as missing and deliver a warning that PE service ports are vulnerable. If this happens, consider adjusting your security software configuration to add an exception for PE ports.

About HSTS

HSTS is designed to protect sites against man-in-the-middle attacks. When HSTS is enabled, an HSTS response header forces user agents and browsers to use HTTPS for loading site content.

Why HSTS is not required for PE

HSTS is not required for PE because none of the ports used by PE are open to the internet.

Adding exceptions for PE ports

If your security system flags a vulnerability due to missing HSTS headers in PE service ports, consider adjusting your security software configuration to add an exception for PE ports.

Typically, an exception is required only for port 443, which is used for PE console services. Port 443 is available to PE users, only within an internal network. To prevent attacks, the console service allows only secure, domain-bound cookies and HTTPS traffic. Mixed content (a combination of HTTP and HTTPS content) is not allowed.

To learn more about PE ports, see Firewall configuration.