Vulnerability testing questions

Hello,

A few questions came out of due-diligence vulnerability testing on our side.

Question 1
The following ports were found to be open:

  • 2052 / tcp / www
  • 2053 / tcp / www
  • 2082 / tcp / www
  • 2083 / tcp / www
  • 2086 / tcp / www
  • 2087 / tcp / www
  • 2095 / tcp / www
  • 2096 / tcp / www
  • 8080 / tcp / www
  • 8443 / tcp / www
  • 8880 / tcp / www

Is this expected? If so, what are these ports used for?

Notably, these ports are only seem to be open for one of our services. Could it be because it’s an old service? Perhaps re-creating the service would solve this issue?

Question 2
We are setting HTTP Strict Transport Security (HSTS) headers for our service, but they don’t seem to be passed through. Is this a limitation of Render?

Question 3
An SSL certificate for one of our services seems to be expired. Is this something we can take care of on our end?

Thanks in advance,
John

Good morning @Render, any advice on this topic?

Hey John,

Q1: Render runs automatic port detection on your services and will expose any ports that your app opens. Only one port will be exposed to the internet, while the others are only accessible by your other Render services. Is your app listening on these ports? Port detection runs on every deploy, so you can update the ports by running a new deploy of your service. Alternatively, if you define the PORT environment variable, Render will only expose that port without running any port detection.

Q2: Response headers should be passed through as-is from your Render service to the client. Can you share an example request? Also note that HTTPS is enforced at Render’s proxy. Regardless of this setting, users will not be able to access your service via HTTP over the internet.

Q3: This should not require any action from you. Can you share the domain that is having this issue?

Feel free to DM me any information you would prefer not to share publicly.

Hi @jake,

Thanks for your reply.

Q1: It looks like these ports are permitted by Cloudflare default. Is it possible to only permit 80/443? We prefer not to have unused open ports for security/auditing reasons.

Q2: The HSTS problem appears on some but not all of our services. For instance, our static site https://admin.our-domain.com includes the strict-transport-security: max-age=31536000 response header, but https://service.our-domain.com does not.

Q3: The expired SSL certificate was resolved after a redeploy.

Thanks again for your help.