Hi Fellow Spark users, We are using Spark 2.3.0 and security team is reporting a violation that Spark allows HTTP OPTIONS method to work(This method exposes what all methods are supported by the end point which could be exploited by a hacker).
This method is on Jetty web server, I see Spark uses Jetty for web UI and some internal communication as well. For Spark UI, we are planning to write a javaxfiler, create a jar and add it to spark libs to not respond to options method. We don't have a clean solution for internal jetty server that is used as a file server though. It will be nice if Spark itself didn't allow Options method to work, similar to what was done for TRACE - https://issues.apache.org/jira/browse/SPARK-5983 What do you guys think? Does community feel this should be something added directly to spark code? Also, if there is a later version of Spark where this has been addressed, please let us know too. -- Thanks & Regards, Ankit.