[jira] [Commented] (HADOOP-15457) Add Security-Related HTTP Response Header in WEBUIs.

Mon, 18 Nov 2019 11:32:22 -0800 


    [ 
https://issues.apache.org/jira/browse/HADOOP-15457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16976818#comment-16976818
 ] 

Bharat Viswanadham commented on HADOOP-15457:
---------------------------------------------

These are added by default

X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff

 

Users does not need to do anything for above headers. To add customized 
additional headers, it should be added as below to core-site.xml.

<property>
<name>hadoop.http.header.http-header</name>
<value>http-header-val</value>
</property>

 

Now for adding HSTS header, it should be added like below, values need to be 
customized according to customer security needs.
<property>
<name>hadoop.http.header.Strict_Transport_Security</name>
<value>max-age=7200; includeSubDomains; preload</value>
</property>

> Add Security-Related HTTP Response Header in WEBUIs.
> ----------------------------------------------------
>
>                 Key: HADOOP-15457
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15457
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Kanwaljeet Sachdev
>            Assignee: Kanwaljeet Sachdev
>            Priority: Major
>              Labels: security
>             Fix For: 3.2.0
>
>         Attachments: HADOOP-15457.001.patch, HADOOP-15457.002.patch, 
> HADOOP-15457.003.patch, HADOOP-15457.004.patch, HADOOP-15457.005.patch, 
> YARN-8198.001.patch, YARN-8198.002.patch, YARN-8198.003.patch, 
> YARN-8198.004.patch, YARN-8198.005.patch
>
>
> As of today, YARN web-ui lacks certain security related http response 
> headers. We are planning to add few default ones and also add support for 
> headers to be able to get added via xml config. Planning to make the below 
> two as default.
>  * X-XSS-Protection: 1; mode=block
>  * X-Content-Type-Options: nosniff
>  
> Support for headers via config properties in core-site.xml will be along the 
> below lines
> {code:java}
> <property>
>      <name>hadoop.http.header.Strict_Transport_Security</name>
>      <value>valHSTSFromXML</value>
>  </property>{code}
>  In the above example, valHSTSFromXML is an example value, this should be 
> configured according to the security requirements.
> With this Jira, users can set required headers by prefixing HTTP header with 
> hadoop.http.header. and configure with the required value in their 
> core-site.xml.
> Example:
>  
> {code:java}
> <property>
>  <name>hadoop.http.header.http-header>
>  <value>http-header-value</value>
> </property>
> {code}
>  
> A regex matcher will lift these properties and add into the response header 
> when Jetty prepares the response.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to