[ https://issues.apache.org/jira/browse/MESOS-5219?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15249981#comment-15249981 ]
Neil Conway commented on MESOS-5219: ------------------------------------ [~dlaidlaw] -- thanks for the report. I'm not very familiar with XSS attacks or click jacking -- can you describe a hypothetical scenario in which Mesos would be involved in such an attack, and how the headers you suggest adding would prevent the attack? > Add security headers to HTTP response > ------------------------------------- > > Key: MESOS-5219 > URL: https://issues.apache.org/jira/browse/MESOS-5219 > Project: Mesos > Issue Type: Improvement > Components: HTTP API > Reporter: Don Laidlaw > > Cross site scripting and click jacking are major concerns. Many issues can be > resolved by setting some headers in the HTTP responses for the user interface > and rest responses for both the master and slave processes. > X-Frame-Options: Can be set to deny, sameorigin, or allow-from <uri> > X-XSS-Protection: 1; mode=block > These would go a long way to making sites using mesos more secure. Note that > the user exploiting attacks does not need to have access to the mesos hosts, > they are attacked through a user's web browser. So if the user can connect to > both mesos and the internet, it is an issue. -- This message was sent by Atlassian JIRA (v6.3.4#6332)