[jira] [Commented] (HBASE-23303) Add security headers to REST server/info page

Sun, 08 Dec 2019 20:17:28 -0800 


    [ 
https://issues.apache.org/jira/browse/HBASE-23303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16991125#comment-16991125
 ] 

Hudson commented on HBASE-23303:
--------------------------------

Results for branch branch-2.1
        [build #1735 on 
builds.a.o|https://builds.apache.org/job/HBase%20Nightly/job/branch-2.1/1735/]: 
(x) *{color:red}-1 overall{color}*
----
details (if available):

(/) {color:green}+1 general checks{color}
-- For more information [see general 
report|https://builds.apache.org/job/HBase%20Nightly/job/branch-2.1/1735//General_Nightly_Build_Report/]




(x) {color:red}-1 jdk8 hadoop2 checks{color}
-- For more information [see jdk8 (hadoop2) 
report|https://builds.apache.org/job/HBase%20Nightly/job/branch-2.1/1735//JDK8_Nightly_Build_Report_(Hadoop2)/]


(x) {color:red}-1 jdk8 hadoop3 checks{color}
-- For more information [see jdk8 (hadoop3) 
report|https://builds.apache.org/job/HBase%20Nightly/job/branch-2.1/1735//JDK8_Nightly_Build_Report_(Hadoop3)/]


(/) {color:green}+1 source release artifact{color}
-- See build output for details.


(/) {color:green}+1 client integration test{color}


> Add security headers to REST server/info page
> ---------------------------------------------
>
>                 Key: HBASE-23303
>                 URL: https://issues.apache.org/jira/browse/HBASE-23303
>             Project: HBase
>          Issue Type: Improvement
>          Components: REST
>    Affects Versions: 3.0.0, 2.0.6, 2.1.7, 2.2.2
>            Reporter: Andor Molnar
>            Assignee: Andor Molnar
>            Priority: Major
>             Fix For: 3.0.0, 2.3.0, 2.2.3, 2.1.9
>
>
> Vulnerability scanners suggest that the following extra headers should be 
> added to both Info/Rest server endpoints which are exposed by {{hbase-rest}} 
> project.
>  * X-Frame-Options: SAMEORIGIN
>  * X-Xss-Protection: 1; mode=block
>  * X-Content-Type-Options: nosniff
>  * Strict-Transport-Security: “max-age=63072000;includeSubDomains;preload”
>  * Content-Security-Policy: default-src https: data: 'unsafe-inline' 
> 'unsafe-eval'
> Info server already has "X-Frame-Options: DENY" which is more restrictive 
> than "SAMEORIGIN", so it's probably fine. All of three headers are missing 
> from REST responses.
> I'll put together a patch to resolve this. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to