TiDB Component Port 10080 Detected Missing X-Content-Type-Options Response Header

Note:
This topic has been translated from a Chinese forum by GPT and might contain errors.

Original topic: tidb组件10080端口检测到目标X-Content-Type-Options响应头缺失

| username: EricSong

A recent security issue encountered:
Vulnerability scanning found that the 10080 port of the TiDB component detected the absence of the X-Content-Type-Options response header. This issue can be manually reproduced using curl -i "http://{tidb-ip-host}:10080/metrics".
The current solution we have thought of is enabling TLS between components, which can directly reject non-internal requests, thus solving (or avoiding) this problem. However, enabling TLS between components requires restarting the cluster, which is quite costly.
I would like to ask if there is a solution that can solve this problem at a lower cost?

| username: TiDBer_jYQINSnf | Original post link

There should be a firewall between TiDB and the scanning tool, only opening port 4000 and closing port 10080, which is useless outside.

| username: WalterWj | Original post link

Change the default port

| username: tidb菜鸟一只 | Original post link

Add the firewall whitelist so that only TiDB internal machines can access this port, and other machines are not allowed to access it.

| username: EricSong | Original post link

Thank you, this method works.

| username: system | Original post link

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.