[jira] [Work logged] (KNOX-3124) Add Generic Security Header Filter to WebAppSec Provider

ASF GitHub Bot (Jira) Thu, 10 Apr 2025 09:56:05 -0700


     [ 
https://issues.apache.org/jira/browse/KNOX-3124?focusedWorklogId=965634&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-965634
 ]


ASF GitHub Bot logged work on KNOX-3124:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 10/Apr/25 16:55
            Start Date: 10/Apr/25 16:55
    Worklog Time Spent: 10m 
      Work Description: lmccay opened a new pull request, #1021:
URL: https://github.com/apache/knox/pull/1021

   ## What changes were proposed in this pull request?
   
   In order to add various security headers to a response, we can add a generic 
filter for which init params with the param name and value indicating the 
header name and string representing the directives for the header respectively.
   
   This will allow admins to configure things like Content-Security-Policy, 
Cache-Control, etc. without the need to add separate filters for each one.
   
   ## How was this patch tested?
   
   New unit tests were added.
   All new and existing tests were run.
   Manual testing was done with the following web app sec provider config and 
curl command:
   
   ```
         <provider>
            <role>webappsec</role>
            <name>WebAppSec</name>
            <enabled>true</enabled>
            <param>
               <name>csrf.customHeader</name>
               <value>X-XSRF-Header</value>
            </param>
            <param>
               <name>csrf.methodsToIgnore</name>
               <value>GET,OPTIONS,HEAD</value>
            </param>
            <param>
               <name>xframe.options.enabled</name>
               <value>true</value>
            </param>
            <param>
               <name>xss.protection.enabled</name>
               <value>true</value>
            </param>
            <param>
               <name>strict.transport.enabled</name>
               <value>true</value>
            </param>
            <param>
               <name>xframe.options</name>
               <value>SAMEORIGIN</value>
            </param>
            <param>
               <name>security.header.enabled</name>
               <value>true</value>
            </param>
            <param>
               <name>security.header.Content-Security-Policy</name>
               <value>default-src 'self'</value>
            </param>
            <param>
               <name>security.header.Cache-Control</name>
               <value>max-age=604800</value>
            </param>
         </provider>
   ```
   
   Note the params with the "security.header." prefix and the headers added to 
the resulting output from the curl command below:
   
   ```
   curl -ivku admin:admin-password -X POST 
"https://localhost:8443/gateway/sandbox/clientid/api/v1/oauth/credentials";
   
   < HTTP/1.1 200 OK
   HTTP/1.1 200 OK
   < Date: Thu, 10 Apr 2025 12:03:04 GMT
   Date: Thu, 10 Apr 2025 12:03:04 GMT
   < X-Frame-Options: SAMEORIGIN
   X-Frame-Options: SAMEORIGIN
   < X-XSS-Protection: 1;mode=block
   X-XSS-Protection: 1;mode=block
   < Strict-Transport-Security: max-age=31536000
   Strict-Transport-Security: max-age=31536000
   **< Cache-Control: max-age=604800
   Cache-Control: max-age=604800
   < Content-Security-Policy: default-src 'self'
   Content-Security-Policy: default-src 'self'**
   < pattern: clientid/api/**?**
   pattern: clientid/api/**?**
   < Set-Cookie: KNOXSESSIONID=node0oggzblclwhrm1u6i6xsx4xn33.node0; 
Path=/gateway/sandbox; Secure; HttpOnly
   Set-Cookie: KNOXSESSIONID=node0oggzblclwhrm1u6i6xsx4xn33.node0; 
Path=/gateway/sandbox; Secure; HttpOnly
   < Expires: Thu, 01 Jan 1970 00:00:00 GMT
   Expires: Thu, 01 Jan 1970 00:00:00 GMT
   < Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0; 
Expires=Wed, 09-Apr-2025 12:03:04 GMT; SameSite=lax
   Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0; 
Expires=Wed, 09-Apr-2025 12:03:04 GMT; SameSite=lax
   < Content-Type: application/json
   Content-Type: application/json
   < Content-Length: 203
   Content-Length: 203
   < 
   ```




Issue Time Tracking
-------------------

            Worklog Id:     (was: 965634)
    Remaining Estimate: 0h
            Time Spent: 10m

> Add Generic Security Header Filter to WebAppSec Provider
> --------------------------------------------------------
>
>                 Key: KNOX-3124
>                 URL: https://issues.apache.org/jira/browse/KNOX-3124
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>            Priority: Major
>             Fix For: 2.2.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> In order to add various security headers to a response, we can add a generic 
> filter for which init params with the param name and value indicating the 
> header name and string representing the directives for the header 
> respectively.
> This will allow admins to configure things like Content-Security-Policy, 
> Cache-Control, etc. without the need to add separate filters for each one.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Work logged] (KNOX-3124) Add Generic Security Header Filter to WebAppSec Provider

Reply via email to