HTTP Security Headers

Hi Pritunl Team,
While implementing Pritunl Zero, our compliance team has notified us
the following risk alerts from securityscorecard.com regarding Pritunl Zero’s webUI:

• Website Does Not Implement HSTS Best Practices
• Website does not implement X-Content-Type-Options Best Practices
• Site Does Not Use Best Practices Against Embedding of Malicious Content

Thus result in overall score deduction and affect our compliance policy.
Is there some ways to be able to add these HTTP Security Headers:

• Strict-Transport-Security
• X-Frame-Options
• X-Content-Type-Options
• Referrer-Policy

Applying these will promptly elevate Pritunl zero’s score on securityscorecard.com, and granting us better compliance for our customers.

Kindly advice. Thank you.

Using HSTS would block access to the web console if the certificate is ever expired or configured incorrectly. Domain matching is used so it can’t be overridden by using an IP address.

I have enabled some of the other headers and this will be included in the next release. These were first tested in Pritunl Cloud but never copied over to Pritunl Zero.

There is a CSRF token implemented for both the web console and on top of any web services but the backend web service will need to configure any headers. These headers would only be configured for the user and admin web console.

Sorry for the late reply. Thank you very much.
Looking forward to the next release.

Cheers,