abhishek bafna created OOZIE-2612:
-------------------------------------
Summary: Add CSRF Filter for REST APIs
Key: OOZIE-2612
URL: https://issues.apache.org/jira/browse/OOZIE-2612
Project: Oozie
Issue Type: Bug
Components: security
Reporter: abhishek bafna
Assignee: abhishek bafna
CSRF prevention for REST APIs can be provided through hadoop commons servlet
filter. This filter would check for the existence of an expected (configurable)
HTTP header - such as X-XSRF-Header. This filter is added into Hadoop 2.8.0, so
we might need to wait for sometime.
The fact that CSRF attacks are entirely browser based means that the above
approach can ensure that requests are coming from either: applications served
by the same origin as the REST API or that there is explicit policy
configuration that allows the setting of a header on XmlHttpRequest from
another origin.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
