Your security team may flag Puppet Enterprise service ports as vulnerable because of their lack of HSTS (HTTP Strict Transport Security) headers.
Version and installation information
PE version: All versions
You do not need to enable HSTS for PE ports. HSTS secures websites against internet-based threats, such as mixed-insecure content, cookie-related attacks, and other MITM attacks. When PE is installed, by default, its components can’t be accessed via the internet and are only available via your internal network.
The following components should never be available via the internet:
- Port 8140, used for agent/server communication and console/server communication
- The agent
- PE service ports
- The console