abhishek bafna created OOZIE-2612: ------------------------------------- Summary: Add CSRF Filter for REST APIs Key: OOZIE-2612 URL: https://issues.apache.org/jira/browse/OOZIE-2612 Project: Oozie Issue Type: Bug Components: security Reporter: abhishek bafna Assignee: abhishek bafna
CSRF prevention for REST APIs can be provided through hadoop commons servlet filter. This filter would check for the existence of an expected (configurable) HTTP header - such as X-XSRF-Header. This filter is added into Hadoop 2.8.0, so we might need to wait for sometime. The fact that CSRF attacks are entirely browser based means that the above approach can ensure that requests are coming from either: applications served by the same origin as the REST API or that there is explicit policy configuration that allows the setting of a header on XmlHttpRequest from another origin. -- This message was sent by Atlassian JIRA (v6.3.4#6332)