Robert Levas created AMBARI-13351:
-------------------------------------
Summary: Security-related HTTP headers should be set separately
for Ambari Views then for Ambari server UI
Key: AMBARI-13351
URL: https://issues.apache.org/jira/browse/AMBARI-13351
Project: Ambari
Issue Type: Bug
Components: ambari-server
Affects Versions: 2.1.3
Reporter: Robert Levas
Assignee: Robert Levas
Fix For: 2.1.3
The security-related HTTP headers should be set separately for the Ambari Views
then for the Ambari server UI. This is because they have different
requirements. For example the Ambari server UI should not be allowed to
execute in an iframe (by default) where Ambari View must be able to execute in
an iframe invoked from the same origin.
The relevant headers are:
* Strict-Transport-Security
* X-Frame-Options
* X-XSS-Protection
These headers should be configurable via the ambari.properties such that they
may be turned on or off - and set to some custom value.
The default value for this headers should be as follows:
* Strict-Transport-Security: max-age=31536000
* X-Frame-Options: SAMEORIGIN
* X-XSS-Protection: 1; mode=block
Strict-Transport-Security should only be turned on if SSL is enabled.
The relevant Ambari properties should be:
* Strict-Transport-Security: views.http.strict-transport-security
* X-Frame-Options: views.http.x-frame-options
* X-XSS-Protection: views.http.x-xss-protection
By setting any of these to be empty, the header is to be turned off (or not
set).
For example:
{code:title=Sets Strict-Transport-Security to a custom value}
views.http.strict-transport-security=max-age=31536000; includeSubDomains
{code}
{code:title=Turns Strict-Transport-Security off}
views.http.strict-transport-security=
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
