[ https://issues.apache.org/jira/browse/SPARK-22188?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sean Owen updated SPARK-22188: ------------------------------ Shepherd: (was: Sean Owen) Flags: (was: Important) Priority: Minor (was: Critical) Issue Type: Improvement (was: Bug) Given Spark UIs are internal to corporate networks, I don't think this can be considered a significant bug or problem > Add defense against Cross-Site Scripting, MIME-sniffing and MitM attack > ----------------------------------------------------------------------- > > Key: SPARK-22188 > URL: https://issues.apache.org/jira/browse/SPARK-22188 > Project: Spark > Issue Type: Improvement > Components: Spark Core > Affects Versions: 2.2.0 > Reporter: Krishna Pandey > Priority: Minor > Labels: security > > Below HTTP Response headers can be added to improve security. > The HTTP *Strict-Transport-Security* response header (often abbreviated as > HSTS) is a security feature that lets a web site tell browsers that it should > only be communicated with using HTTPS, instead of using HTTP. > *Note:* The Strict-Transport-Security header is ignored by the browser when > your site is accessed using HTTP; this is because an attacker may intercept > HTTP connections and inject the header or remove it. When your site is > accessed over HTTPS with no certificate errors, the browser knows your site > is HTTPS capable and will honor the Strict-Transport-Security header. > *An example scenario* > You log into a free WiFi access point at an airport and start surfing the > web, visiting your online banking service to check your balance and pay a > couple of bills. Unfortunately, the access point you're using is actually a > hacker's laptop, and they're intercepting your original HTTP request and > redirecting you to a clone of your bank's site instead of the real thing. Now > your private data is exposed to the hacker. > Strict Transport Security resolves this problem; as long as you've accessed > your bank's web site once using HTTPS, and the bank's web site uses Strict > Transport Security, your browser will know to automatically use only HTTPS, > which prevents hackers from performing this sort of man-in-the-middle attack. > *Syntax:* > Strict-Transport-Security: max-age=<expire-time> > Strict-Transport-Security: max-age=<expire-time>; includeSubDomains > Strict-Transport-Security: max-age=<expire-time>; preload > Read more at > https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security > The HTTP *X-XSS-Protection* response header is a feature of Internet > Explorer, Chrome and Safari that stops pages from loading when they detect > reflected cross-site scripting (XSS) attacks. > *Syntax:* > X-XSS-Protection: 0 > X-XSS-Protection: 1 > X-XSS-Protection: 1; mode=block > X-XSS-Protection: 1; report=<reporting-uri> > Read more at > http://sss.jjefwfmpqfs.pjnpajmmb.ljpsh.us3.gsr.awhoer.net/en-US/docs/Web/HTTP/Headers/X-XSS-Protection > The HTTP *X-Content-Type-Options* response header is used to protect against > MIME sniffing vulnerabilities. These vulnerabilities can occur when a website > allows users to upload content to a website however the user disguises a > particular file type as something else. This can give them the opportunity to > perform cross-site scripting and compromise the website. Read more at > https://www.keycdn.com/support/x-content-type-options/ and > https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org