Github user krishna-pandey commented on the issue: https://github.com/apache/spark/pull/19419 @rxin , @srowen I think we can enable X-XSS-Protection and X-Content-Type-Options response header by default. STS Header can be left configurable or enabled by default when Spark UI is running on HTTPS. **Word of caution**: When X-Content-Type-Options response HTTP header is set to "nosniff", it will block a request if the requested type is "style" and the MIME type is not "text/css", or when requested type is "script" and the MIME type is not a JavaScript MIME type.
--- --------------------------------------------------------------------- To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org