[
https://issues.apache.org/jira/browse/SPARK-24508?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Marcelo Vanzin resolved SPARK-24508.
------------------------------------
Resolution: Won't Fix
> Spark WebUIs [Security] - Inadequate Cache Directive Headers
> ------------------------------------------------------------
>
> Key: SPARK-24508
> URL: https://issues.apache.org/jira/browse/SPARK-24508
> Project: Spark
> Issue Type: Bug
> Components: Web UI
> Affects Versions: 2.3.0
> Reporter: t oo
> Priority: Major
> Labels: security
>
> Several web portals do not use sufficient cache related headers.
> Cache related headers instructs browsers and intermediary proxies to not
> cache any data received or sent. The following cache related headers were
> missing or not properly set:
> * Cache-Control: not set to no-cache no-store
> * Pragma header missing
> * Expires header not backdated or -1
> The following applications/requests are affected (note that this is a
> non-exhaustive list, recommendations should be applied to all applications):
> [https://host:8480/api/v1/applications/app-20180522035225-0000/allexecutors]
> [https://host:18480/api/v1/applications?limit=1500&status=completed]
> *
> Business impact / attack scenario*
> By allowing proxies or browsers to cache sensitive information, it is
> possible for an attacker with access to the machine to retrieve information
> about Spark infrastructure.
> *
> Recommendation*
> Set the following cache related headers for all sensitive information:
> Cache-Control: no-cache no-store
> Pragma: no-cache
> Expires: -1
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
