Hello Attila Bukor, Kudu Jenkins, Andrew Wong, Abhishek Chennaka, I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/18253 to look at the new patch set (#8). Change subject: [webserver] add security-related HTTP headers ...................................................................... [webserver] add security-related HTTP headers To please various security scanners, this patch adds the following HTTP headers into Kudu embedded webserver's responses: * Cache-Control (set to 'no-store' by default, see [1]) * X-Content-Type-Options (set to 'nosniff' by default, see [2]) * Strict-Transport-Security (see [3] and below for details) The embedded webserver adds the HTTP strict transport security (HSTS) header 'Strict-Transport-Security' for responses sent from HTTPS (i.e. TLS-protected) endpoints if --webserver_hsts_max_age_seconds is set to a non-negative value. The header contains the 'max-age' attribute as specified by the flag, and adds the optional 'includeSubDomains' attribute as per set setting of the --webserver_hsts_include_sub_domains flag. The HSTS header isn't added to the responses sent from plain HTTP endpoints (BTW, it seems most browsers simply ignore the HSTS header anyway if it's received from an HTTP, not an HTTPS endpoint). Essentially, the HSTS header for Kudu is a no-op since the embedded webserver doesn't serve both HTTP and HTTPS endpoints at the same time: one can enable one of the other, but never both. However, many security scanners almost cry "Security breach" if they don't see the header :) Adding the HSTS header isn't enabled by default since it could make other plain HTTP endpoints at the same node/hostname inaccessible. To enable adding the HSTS header for HTTPS responses, set the --webserver_hsts_max_age_seconds flag to a non-negative integer. Enable it with care and only if you know what you are doing! One extra test added and a few existing ones updated correspondingly to cover the newly introduced functionality. [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control [2] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options [3] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security Change-Id: Id844b9588196b3d608765d0f16f5caec1c414d41 --- M src/kudu/server/webserver-test.cc M src/kudu/server/webserver.cc 2 files changed, 135 insertions(+), 7 deletions(-) git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/53/18253/8 -- To view, visit http://gerrit.cloudera.org:8080/18253 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: Id844b9588196b3d608765d0f16f5caec1c414d41 Gerrit-Change-Number: 18253 Gerrit-PatchSet: 8 Gerrit-Owner: Alexey Serbin <ale...@apache.org> Gerrit-Reviewer: Abhishek Chennaka <achenn...@cloudera.com> Gerrit-Reviewer: Alexey Serbin <ale...@apache.org> Gerrit-Reviewer: Andrew Wong <anj...@gmail.com> Gerrit-Reviewer: Attila Bukor <abu...@apache.org> Gerrit-Reviewer: Kudu Jenkins (120)