Hello Attila Bukor, Kudu Jenkins, Andrew Wong, Abhishek Chennaka,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/18253
to look at the new patch set (#8).
Change subject: [webserver] add security-related HTTP headers
......................................................................
[webserver] add security-related HTTP headers
To please various security scanners, this patch adds the following
HTTP headers into Kudu embedded webserver's responses:
* Cache-Control (set to 'no-store' by default, see [1])
* X-Content-Type-Options (set to 'nosniff' by default, see [2])
* Strict-Transport-Security (see [3] and below for details)
The embedded webserver adds the HTTP strict transport security
(HSTS) header 'Strict-Transport-Security' for responses sent from HTTPS
(i.e. TLS-protected) endpoints if --webserver_hsts_max_age_seconds is
set to a non-negative value. The header contains the 'max-age'
attribute as specified by the flag, and adds the optional
'includeSubDomains' attribute as per set setting of the
--webserver_hsts_include_sub_domains flag. The HSTS header isn't added
to the responses sent from plain HTTP endpoints (BTW, it seems most
browsers simply ignore the HSTS header anyway if it's received from
an HTTP, not an HTTPS endpoint).
Essentially, the HSTS header for Kudu is a no-op since the embedded
webserver doesn't serve both HTTP and HTTPS endpoints at the same time:
one can enable one of the other, but never both. However, many security
scanners almost cry "Security breach" if they don't see the header :)
Adding the HSTS header isn't enabled by default since it could make
other plain HTTP endpoints at the same node/hostname inaccessible.
To enable adding the HSTS header for HTTPS responses, set the
--webserver_hsts_max_age_seconds flag to a non-negative integer.
Enable it with care and only if you know what you are doing!
One extra test added and a few existing ones updated correspondingly
to cover the newly introduced functionality.
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
[2]
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
[3]
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
Change-Id: Id844b9588196b3d608765d0f16f5caec1c414d41
---
M src/kudu/server/webserver-test.cc
M src/kudu/server/webserver.cc
2 files changed, 135 insertions(+), 7 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/53/18253/8
--
To view, visit http://gerrit.cloudera.org:8080/18253
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Id844b9588196b3d608765d0f16f5caec1c414d41
Gerrit-Change-Number: 18253
Gerrit-PatchSet: 8
Gerrit-Owner: Alexey Serbin <ale...@apache.org>
Gerrit-Reviewer: Abhishek Chennaka <achenn...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <ale...@apache.org>
Gerrit-Reviewer: Andrew Wong <anj...@gmail.com>
Gerrit-Reviewer: Attila Bukor <abu...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
