DAST issues Missing or insecure security headers

Our security scanner got below DAST issues:
Can below fixed from grafana/loki server side,
Grafana version 10.4.2
grafana 2.9.7

Both for Loki and grafana endpoint.

Missing “Content-Security-Policy” header
Missing or insecure “X-Content-Type-Options” header
Missing or insecure HTTP Strict-Transport-Security
Missing “Referrer policy” Security Header

Missing “Content-Security-Policy” header

Reasoning: AppScan detected that the Content-Security-Policy response header is missing or with an insecure policy, which increases exposure to various cross-site injection attacks

Test Requests and Responses:

GET / HTTP/1.1
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Host: loki-sgi.platform.saas.ibm.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Content-Length: 0

HTTP/1.1 200 OK
Date: Mon, 17 Jun 2024 01:35:38 GMT
Content-Type: application/octet-stream
Content-Length: 2
Connection: keep-alive
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 894f4ddb4f37829f-IAD
Set-Cookie: 2dd7ffe3e648bc0f3a47034a7978800f=eaca6a1d14d07a9047079d750e499937; path=/; HttpOnly; Secure; SameSite=None

OK

Missing or insecure “X-Content-Type-Options” header

Reasoning: AppScan detected that the "X-Content-Type-Options" response header is missing or has an insecure value, which increases exposure to drive-by download attacks

Test Requests and Responses:

GET / HTTP/1.1
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Host: loki-sgi.platform.saas.ibm.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Content-Length: 0

HTTP/1.1 200 OK
Date: Mon, 17 Jun 2024 01:34:52 GMT
Content-Type: application/octet-stream
Content-Length: 2
Connection: keep-alive
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 894f4cbc5b8b38a3-IAD
Set-Cookie: 2dd7ffe3e648bc0f3a47034a7978800f=3b4e4248c169e6d9fce96caac7b9f538; path=/; HttpOnly; Secure; SameSite=None

OK

Missing or insecure HTTP Strict-Transport-Security

Reasoning: AppScan detected that the HTTP Strict-Transport-Security response header is missing or with insufficient "max-age"

Test Requests and Responses:

GET / HTTP/1.1
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Host: loki-sgi.platform.saas.ibm.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Content-Length: 0

HTTP/1.1 200 OK
Date: Mon, 17 Jun 2024 01:34:52 GMT
Content-Type: application/octet-stream
Content-Length: 2
Connection: keep-alive
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 894f4cbc5b8b38a3-IAD
Set-Cookie: 2dd7ffe3e648bc0f3a47034a7978800f=3b4e4248c169e6d9fce96caac7b9f538; path=/; HttpOnly; Secure; SameSite=None

OK

Missing “Referrer policy” Security Header
Reasoning: AppScan detected that the Referrer Policy Response header is missing or with an insecure policy, which increases exposure to various cross-site injection attacks

Test Requests and Responses:

GET / HTTP/1.1
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Host: loki-sgi.platform.saas.ibm.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Content-Length: 0

HTTP/1.1 200 OK
Date: Mon, 17 Jun 2024 01:34:18 GMT
Content-Type: application/octet-stream
Content-Length: 2
Connection: keep-alive
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 894f4be6d93e9c3c-IAD
Set-Cookie: 2dd7ffe3e648bc0f3a47034a7978800f=9ac3d0966558598165f2d8a39ff43225; path=/; HttpOnly; Secure; SameSite=None

OK

Did you try to configure your Grafana/Loki (and read their docs) properly or just following security report blindly? Did you discover also SQL injection?

We already done some investigations, for grafana, it has custom_http_headers can be configured, but can not find the way for grafana Loki.

Do you load Grafana Loki response into browser directly? IMHO no, so it doesn’t make sense. Of course if you want to just “silent” DAST, then use your favourite reverse proxy in front of Loki nad configure “missing” headers there.