[jira] [Commented] (HADOOP-15457) Add Security-Related HTTP Response Header in WEBUIs.

Fri, 15 Nov 2019 15:33:00 -0800 


    [ 
https://issues.apache.org/jira/browse/HADOOP-15457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16975467#comment-16975467
 ] 

Bharat Viswanadham commented on HADOOP-15457:
---------------------------------------------

Hi [~kanwaljeets] [~rkanter]

Just want to understand this, in Jira description for other http headers it is 
said "add support for headers to be able to get added via xml config"

But in the code, I see we have a regex and reading all the values matching with 
regex from the configuration.

Like for example to set HSTS header, I think we should be set as 

 
{code:java}
<property>
<name>hadoop.http.header.Strict_Transport_Security</name>
<value>max-age=7200; includeSubDomains; preload</value>
</property>.
{code}
 

So do you mean here reading from xml config means, reading from core-site.xml, 
and gave some sample value for HSTS header?
<property>
     <name>hadoop.http.header.Strict_Transport_Security</name>
     <value>valHSTSFromXML</value>
 </property>

> Add Security-Related HTTP Response Header in WEBUIs.
> ----------------------------------------------------
>
>                 Key: HADOOP-15457
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15457
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Kanwaljeet Sachdev
>            Assignee: Kanwaljeet Sachdev
>            Priority: Major
>              Labels: security
>             Fix For: 3.2.0
>
>         Attachments: HADOOP-15457.001.patch, HADOOP-15457.002.patch, 
> HADOOP-15457.003.patch, HADOOP-15457.004.patch, HADOOP-15457.005.patch, 
> YARN-8198.001.patch, YARN-8198.002.patch, YARN-8198.003.patch, 
> YARN-8198.004.patch, YARN-8198.005.patch
>
>
> As of today, YARN web-ui lacks certain security related http response 
> headers. We are planning to add few default ones and also add support for 
> headers to be able to get added via xml config. Planning to make the below 
> two as default.
>  * X-XSS-Protection: 1; mode=block
>  * X-Content-Type-Options: nosniff
>  
> Support for headers via config properties in core-site.xml will be along the 
> below lines
> {code:java}
> <property>
>      <name>hadoop.http.header.Strict_Transport_Security</name>
>      <value>valHSTSFromXML</value>
>  </property>{code}
>  
> A regex matcher will lift these properties and add into the response header 
> when Jetty prepares the response.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to