A security scanner flagged Puppet Enterprise ports as vulnerable because of a lack of HSTS headers

Your security team may flag Puppet Enterprise service ports as vulnerable because of their lack of HSTS (HTTP Strict Transport Security) headers.

Version and installation information

PE version: All versions

Solution

You do not need to enable HSTS for PE ports. HSTS secures websites against internet-based threats, such as mixed-insecure content, cookie-related attacks, and other MITM attacks. When PE is installed, by default, its components can’t be accessed via the internet and are only available via your internal network.

The following components should never be available via the internet:

• Port 8140, used for agent/server communication and console/server communication
• The agent
• PE service ports
• The console

Of those, only the console interacts with web browsers and uses cookies. In the console, you’re protected against passive network attacks and web applications by secure, domain-bound cookies. Console communication is via HTTPS only, and mixed content (a combination of HTTP and HTTPS content) is not allowed.