[
https://issues.apache.org/jira/browse/SPARK-22188?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sean Owen updated SPARK-22188:
------------------------------
Shepherd: (was: Sean Owen)
Flags: (was: Important)
Priority: Minor (was: Critical)
Issue Type: Improvement (was: Bug)
Given Spark UIs are internal to corporate networks, I don't think this can be
considered a significant bug or problem
> Add defense against Cross-Site Scripting, MIME-sniffing and MitM attack
> -----------------------------------------------------------------------
>
> Key: SPARK-22188
> URL: https://issues.apache.org/jira/browse/SPARK-22188
> Project: Spark
> Issue Type: Improvement
> Components: Spark Core
> Affects Versions: 2.2.0
> Reporter: Krishna Pandey
> Priority: Minor
> Labels: security
>
> Below HTTP Response headers can be added to improve security.
> The HTTP *Strict-Transport-Security* response header (often abbreviated as
> HSTS) is a security feature that lets a web site tell browsers that it should
> only be communicated with using HTTPS, instead of using HTTP.
> *Note:* The Strict-Transport-Security header is ignored by the browser when
> your site is accessed using HTTP; this is because an attacker may intercept
> HTTP connections and inject the header or remove it. When your site is
> accessed over HTTPS with no certificate errors, the browser knows your site
> is HTTPS capable and will honor the Strict-Transport-Security header.
> *An example scenario*
> You log into a free WiFi access point at an airport and start surfing the
> web, visiting your online banking service to check your balance and pay a
> couple of bills. Unfortunately, the access point you're using is actually a
> hacker's laptop, and they're intercepting your original HTTP request and
> redirecting you to a clone of your bank's site instead of the real thing. Now
> your private data is exposed to the hacker.
> Strict Transport Security resolves this problem; as long as you've accessed
> your bank's web site once using HTTPS, and the bank's web site uses Strict
> Transport Security, your browser will know to automatically use only HTTPS,
> which prevents hackers from performing this sort of man-in-the-middle attack.
> *Syntax:*
> Strict-Transport-Security: max-age=<expire-time>
> Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
> Strict-Transport-Security: max-age=<expire-time>; preload
> Read more at
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
> The HTTP *X-XSS-Protection* response header is a feature of Internet
> Explorer, Chrome and Safari that stops pages from loading when they detect
> reflected cross-site scripting (XSS) attacks.
> *Syntax:*
> X-XSS-Protection: 0
> X-XSS-Protection: 1
> X-XSS-Protection: 1; mode=block
> X-XSS-Protection: 1; report=<reporting-uri>
> Read more at
> http://sss.jjefwfmpqfs.pjnpajmmb.ljpsh.us3.gsr.awhoer.net/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
> The HTTP *X-Content-Type-Options* response header is used to protect against
> MIME sniffing vulnerabilities. These vulnerabilities can occur when a website
> allows users to upload content to a website however the user disguises a
> particular file type as something else. This can give them the opportunity to
> perform cross-site scripting and compromise the website. Read more at
> https://www.keycdn.com/support/x-content-type-options/ and
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
