[
https://issues.apache.org/jira/browse/NIFI-7689?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17167952#comment-17167952
]
Nathan Gough edited comment on NIFI-7689 at 7/30/20, 2:13 PM:
--------------------------------------------------------------
Hi Jon,
I'm not familiar with 'Qualys ID 11827' per se, but the following security
headers are applied globally to all HTTP responses in Apache NiFi v1.11.0:
||Header||Value||
|X-Frame-Options|SAMEORIGIN|
|Content-Security-Policy|frame-ancestors 'self'|
|X-XSS-Protection|1; mode=block|
|Strict-Transport-Security|max-age=31540000|
I have recently added the "X-Content-Type-Options: nosniff" header to responses
in Apache NiFi 1.12.0 here: NIFI-6094 which should be released soon. Hopefully
NiFi 1.12.0 should pass the Qualys scan as far as security headers are
concerned.
was (Author: thenatog):
Hi Jon,
I'm not familiar with 'Qualys ID 11827' per se, but the following security
headers are applied globally to all HTTP responses in Apache NiFi v1.11.0:
||Header||Value||
|X-Frame-Options|SAMEORIGIN|
|Content-Security-Policy|frame-ancestors 'self'|
|X-XSS-Protection|1; mode=block|
|Strict-Transport-Security|max-age=31540000|
I have recently added the "X-Content-Type-Options: nosniff" header to responses
in Apache NiFi 1.12.0 here: NIFI-6094 which should be released soon. Hopefully
NiFi 1.12.0 should pass the Qualsys scan as far as security headers are
concerned.
> QID 11827 Security Headers
> --------------------------
>
> Key: NIFI-7689
> URL: https://issues.apache.org/jira/browse/NIFI-7689
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Reporter: Jon McAlexander
> Priority: Major
> Labels: compliance, headers, web
>
> Looking for appropriate document to configure the HTTP Security Headers to
> satisfy a Qualsys ID 11827 Finding on Apache Nifi. Please advise.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
