A few questions came out of due-diligence vulnerability testing on our side.
Question 1
The following ports were found to be open:
2052 / tcp / www
2053 / tcp / www
2082 / tcp / www
2083 / tcp / www
2086 / tcp / www
2087 / tcp / www
2095 / tcp / www
2096 / tcp / www
8080 / tcp / www
8443 / tcp / www
8880 / tcp / www
Is this expected? If so, what are these ports used for?
Notably, these ports are only seem to be open for one of our services. Could it be because it’s an old service? Perhaps re-creating the service would solve this issue?
Question 2
We are setting HTTP Strict Transport Security (HSTS) headers for our service, but they don’t seem to be passed through. Is this a limitation of Render?
Question 3
An SSL certificate for one of our services seems to be expired. Is this something we can take care of on our end?
Q1: Render runs automatic port detection on your services and will expose any ports that your app opens. Only one port will be exposed to the internet, while the others are only accessible by your other Render services. Is your app listening on these ports? Port detection runs on every deploy, so you can update the ports by running a new deploy of your service. Alternatively, if you define the PORT environment variable, Render will only expose that port without running any port detection.
Q2: Response headers should be passed through as-is from your Render service to the client. Can you share an example request? Also note that HTTPS is enforced at Render’s proxy. Regardless of this setting, users will not be able to access your service via HTTP over the internet.
Q3: This should not require any action from you. Can you share the domain that is having this issue?
Feel free to DM me any information you would prefer not to share publicly.
Q1: It looks like these ports are permitted by Cloudflare default. Is it possible to only permit 80/443? We prefer not to have unused open ports for security/auditing reasons.
Q2: The HSTS problem appears on some but not all of our services. For instance, our static site https://admin.our-domain.com includes the strict-transport-security: max-age=31536000 response header, but https://service.our-domain.com does not.
Q3: The expired SSL certificate was resolved after a redeploy.
If your web service serves web traffic on port 80, we will expose it externally. We do not expose any other ports on your application to the internet. If you try connecting to them, we will refuse the connection. Your web service on Render is compliant with your security requirements.