[ https://issues.apache.org/jira/browse/HBASE-23303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16991125#comment-16991125 ]
Hudson commented on HBASE-23303: -------------------------------- Results for branch branch-2.1 [build #1735 on builds.a.o|https://builds.apache.org/job/HBase%20Nightly/job/branch-2.1/1735/]: (x) *{color:red}-1 overall{color}* ---- details (if available): (/) {color:green}+1 general checks{color} -- For more information [see general report|https://builds.apache.org/job/HBase%20Nightly/job/branch-2.1/1735//General_Nightly_Build_Report/] (x) {color:red}-1 jdk8 hadoop2 checks{color} -- For more information [see jdk8 (hadoop2) report|https://builds.apache.org/job/HBase%20Nightly/job/branch-2.1/1735//JDK8_Nightly_Build_Report_(Hadoop2)/] (x) {color:red}-1 jdk8 hadoop3 checks{color} -- For more information [see jdk8 (hadoop3) report|https://builds.apache.org/job/HBase%20Nightly/job/branch-2.1/1735//JDK8_Nightly_Build_Report_(Hadoop3)/] (/) {color:green}+1 source release artifact{color} -- See build output for details. (/) {color:green}+1 client integration test{color} > Add security headers to REST server/info page > --------------------------------------------- > > Key: HBASE-23303 > URL: https://issues.apache.org/jira/browse/HBASE-23303 > Project: HBase > Issue Type: Improvement > Components: REST > Affects Versions: 3.0.0, 2.0.6, 2.1.7, 2.2.2 > Reporter: Andor Molnar > Assignee: Andor Molnar > Priority: Major > Fix For: 3.0.0, 2.3.0, 2.2.3, 2.1.9 > > > Vulnerability scanners suggest that the following extra headers should be > added to both Info/Rest server endpoints which are exposed by {{hbase-rest}} > project. > * X-Frame-Options: SAMEORIGIN > * X-Xss-Protection: 1; mode=block > * X-Content-Type-Options: nosniff > * Strict-Transport-Security: “max-age=63072000;includeSubDomains;preload” > * Content-Security-Policy: default-src https: data: 'unsafe-inline' > 'unsafe-eval' > Info server already has "X-Frame-Options: DENY" which is more restrictive > than "SAMEORIGIN", so it's probably fine. All of three headers are missing > from REST responses. > I'll put together a patch to resolve this. -- This message was sent by Atlassian Jira (v8.3.4#803005)