Github user srowen commented on a diff in the pull request: https://github.com/apache/spark/pull/19419#discussion_r144483342 --- Diff: docs/configuration.md --- @@ -2013,7 +2013,62 @@ Apart from these, the following properties are also available, and may be useful </tr> </table> +### HTTP Security Headers +Apache Spark can be configured to include HTTP Headers which aids in preventing Cross +Site Scripting (XSS), Cross-Frame Scripting (XFS), MIME-Sniffing and also enforces HTTP +Strict Transport Security. + +<table class="table"> + <tr><th>Property Name</th><th>Default</th><th>Meaning</th></tr> + <tr> + <td><code>spark.ui.xXssProtection</code></td> + <td>None</td> + <td> + Value for HTTP X-XSS-Protection response header. You can choose appropriate value + from below: + <ul> + <li> 0 (Disables XSS filtering) + <li> 1 (Enables XSS filtering. If a cross-site scripting attack is detected, + the browser will sanitize the page.) + <li> 1; mode=block (Enables XSS filtering. The browser will prevent rendering + of the page if an attack is detected.) + </ul> + </td> + </tr> + <tr> + <td><code>spark.ui.allowFramingFrom</code></td> + <td>SAMEORIGIN</td> + <td> + Value for X-Frame-Options HTTP response header + <br />You can provide the "website uri" which can only be displayed in a frame on + the specified origin. + <br /> --- End diff -- Remove this
--- --------------------------------------------------------------------- To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org