[jira] [Updated] (HBASE-23303) Add security headers to REST server/info page

Mon, 18 Nov 2019 03:42:49 -0800 


     [ 
https://issues.apache.org/jira/browse/HBASE-23303?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andor Molnar updated HBASE-23303:
---------------------------------
    Description: 
Vulnerability scanners suggest that the following extra headers should be added 
to both Info/Rest server endpoints which are exposed by {{hbase-rest}} project.
 * X-Content-Type-Options: nosniff
 * X-XSS-Protection: 1; mode=block
 * X-Frame-Options: SAMEORIGIN

Info server already has "X-Frame-Options: DENY" which is more restrictive than 
"SAMEORIGIN", so it's probably fine. All of three headers are missing from REST 
responses.

I'll put together a patch to resolve this.

Let's add HSTS header too:
 * Strict-Transport-Security: max-age=31536000

 

  was:
Vulnerability scanners suggest that the following extra headers should be added 
to both Info/Rest server endpoints which are exposed by {{hbase-rest}} project.
 * X-Content-Type-Options: nosniff
 * X-XSS-Protection: 1; mode=block
 * X-Frame-Options: SAMEORIGIN

Info server already has "X-Frame-Options: DENY" which is more restrictive than 
"SAMEORIGIN", so it's probably fine. All of three headers are missing from REST 
responses.

I'll put together a patch to resolve this.


> Add security headers to REST server/info page
> ---------------------------------------------
>
>                 Key: HBASE-23303
>                 URL: https://issues.apache.org/jira/browse/HBASE-23303
>             Project: HBase
>          Issue Type: Improvement
>          Components: REST
>    Affects Versions: 3.0.0, 2.0.6, 2.1.7, 2.2.2
>            Reporter: Andor Molnar
>            Assignee: Andor Molnar
>            Priority: Major
>
> Vulnerability scanners suggest that the following extra headers should be 
> added to both Info/Rest server endpoints which are exposed by {{hbase-rest}} 
> project.
>  * X-Content-Type-Options: nosniff
>  * X-XSS-Protection: 1; mode=block
>  * X-Frame-Options: SAMEORIGIN
> Info server already has "X-Frame-Options: DENY" which is more restrictive 
> than "SAMEORIGIN", so it's probably fine. All of three headers are missing 
> from REST responses.
> I'll put together a patch to resolve this.
> Let's add HSTS header too:
>  * Strict-Transport-Security: max-age=31536000
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to