Aah - actually found https://issues.apache.org/jira/browse/SPARK-18664 - "Don't respond to HTTP OPTIONS in HTTP-based UIs"
Does anyone know if this can be prioritized? Thanks Ankit On Tue, Apr 30, 2019 at 1:31 PM Ankit Jain <ankitjain....@gmail.com> wrote: > Hi Fellow Spark users, > We are using Spark 2.3.0 and security team is reporting a violation that > Spark allows HTTP OPTIONS method to work(This method exposes what all > methods are supported by the end point which could be exploited by a > hacker). > > This method is on Jetty web server, I see Spark uses Jetty for web UI and > some internal communication as well. > > For Spark UI, we are planning to write a javaxfiler, create a jar and add > it to spark libs to not respond to options method. We don't have a clean > solution for internal jetty server that is used as a file server though. > > It will be nice if Spark itself didn't allow Options method to work, > similar to what was done for TRACE - > https://issues.apache.org/jira/browse/SPARK-5983 > > What do you guys think? Does community feel this should be something added > directly to spark code? > > Also, if there is a later version of Spark where this has been addressed, > please let us know too. > > -- > Thanks & Regards, > Ankit. > -- Thanks & Regards, Ankit.
