Larry McCay created HADOOP-12691: ------------------------------------ Summary: Add CSRF Filter to Hadoop Common Key: HADOOP-12691 URL: https://issues.apache.org/jira/browse/HADOOP-12691 Project: Hadoop Common Issue Type: Bug Components: security Reporter: Larry McCay Assignee: Larry McCay Fix For: 3.0.0
CSRF prevention for REST APIs can be provided through a common servlet filter. This filter would check for the existence of an expected (configurable) HTTP header - such as X-Requested-By. The fact that CSRF attacks are entirely browser based means that the above approach can ensure that requests are coming from either: applications served by the same origin as the REST API or that there is explicit policy configuration that allows the setting of a header on XmlHttpRequest from another origin. -- This message was sent by Atlassian JIRA (v6.3.4#6332)