[ https://issues.apache.org/jira/browse/AMBARI-13304?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Levas updated AMBARI-13304: ---------------------------------- Attachment: (was: AMBARI-13304_trunk_01.patch) > Add security-related HTTP headers to Views to keep Ambari up to date with > best-practices > ---------------------------------------------------------------------------------------- > > Key: AMBARI-13304 > URL: https://issues.apache.org/jira/browse/AMBARI-13304 > Project: Ambari > Issue Type: Bug > Components: ambari-server > Affects Versions: 1.7.0 > Reporter: Robert Levas > Assignee: Robert Levas > Fix For: 2.2.0, 2.0.3, 2.1.3 > > Attachments: AMBARI-13304_branch-2.0.maint_01.patch, > AMBARI-13304_branch-2.1_01.patch > > > Add security-related HTTP headers to Views to keep Ambari up to date with > best-practices. > * Strict-Transport-Security > * X-Frame-Options > * X-XSS-Protection > These headers should be configurable via the ambari.properties such that they > may be turned on or off - and set to some custom value. > The default value for this headers should be as follows: > * Strict-Transport-Security: max-age=31536000 > * X-Frame-Options: DENY > * X-XSS-Protection: 1; mode=block > Strict-Transport-Security should only be turned on if SSL is enabled. > The relevant Ambari properties should be: > * Strict-Transport-Security: http.strict-transport-security > * X-Frame-Options: http.x-frame-options > * X-XSS-Protection: http.x-xss-protection > By setting any of these to be empty, the header is to be turned off (or not > set). > For example: > {code:title=Sets Strict-Transport-Security to a custom value} > http.strict-transport-security=max-age=31536000; includeSubDomains > {code} > {code:title=Turns Strict-Transport-Security off} > http.strict-transport-security= > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)