If it is exposed and you don't want unauthorized users to read or write you need to add authentication. Apache Shirio or make zeplin port private (behind firewall) and proxy all requests thru a server that has the authentication you want.
On Thu, 13 Dec, 2018, 11:12 Tushar Kapila <tgkp...@gmail.com wrote: > Is your zeplin exposed to the internet? If not don't see why this should > be an issue if it's behind the firewall? > > On Wed, 12 Dec, 2018, 03:57 Bicky Ealias <bickyeal...@gmail.com wrote: > >> Checking again.. Has anyone got a chance to fix CORS issue on Zeppelin? >> >> On Wed., 5 Dec. 2018, 5:55 pm Bicky Ealias <bickyeal...@gmail.com wrote: >> >>> Hello users, >>> Has anyone succeeded in hardening Zeppelin against CORS vulnerability? >>> ---------- Forwarded message --------- >>> >>> *From: *Jeff Zhang <zjf...@gmail.com> >>> *Date: *Tuesday, 4 December 2018 at 5:05 pm >>> *To: *"Ealias, Bicky" <bicky.eal...@cba.com.au> >>> *Subject: *Re: CORS policy in Zeppelin >>> >>> >>> >>> Sorry,I don't know about this, could you ask this in zeppelin user mail >>> list ? >>> >>> >>> >>> Ealias, Bicky <bicky.eal...@cba.com.au> 于2018年12月4日周二 上午10:55写道: >>> >>> Hi Jeff, >>> >>> Hope you are doing well. >>> >>> Recently we had penetration testing done on zeppelin,and one >>> vulnerability that came forward is issue with Zeppelin’s HTML2 CORS policy, >>> >>> We are on version 0.8.0.I added these configurations as per the >>> documentation: >>> >>> >>> >>> >>> https://zeppelin.apache.org/docs/0.8.0/setup/security/http_security_headers.html >>> But still that doesn’t seem to fix the issue. >>> >>> https://issues.apache.org/jira/browse/ZEPPELIN-245 I see this ticket >>> but the comment says its fixed in 0.6.0 already. >>> >>> ..Are there some other settings I can change? >>> >>> >>> >>> >>> >>> >>> >>> *CommonwealthBank* >>> >>> [image: cid:image001.png@01D40715.7FFFB880] >>> >>> Bicky Eailas >>> Analytics & Information >>> Level 17, 255 Pitt St, Sydney NSW 2000 >>> M: 0406949642 >>> E: bicky.eal...@cba.com.au >>> >>> *Our vision…To excel at securing and enhancing the **financial >>> wellbeing** of people, businesses and communities.* >>> >>> >>> >>> [image: cid:image003.png@01D40715.A8C27190] >>> >>> >>> >>> ************** IMPORTANT MESSAGE ***************************** >>> This e-mail message is intended only for the addressee(s) and contains >>> information which may be >>> confidential. >>> If you are not the intended recipient please advise the sender by return >>> email, do not use or >>> disclose the contents, and delete the message and any attachments from >>> your system. Unless >>> specifically indicated, this email does not constitute formal advice or >>> commitment by the sender >>> or the Commonwealth Bank of Australia (ABN 48 123 123 124 AFSL and >>> Australian credit licence 234945) >>> or its subsidiaries. >>> We can be contacted through our web site: commbank.com.au. >>> If you no longer wish to receive commercial electronic messages from us, >>> please reply to this >>> e-mail by typing Unsubscribe in the subject line. >>> ************************************************************** >>> >>> >>> >>> >>> -- >>> >>> Best Regards >>> >>> Jeff Zhang >>> >>> ************** IMPORTANT MESSAGE ***************************** >>> This e-mail message is intended only for the addressee(s) and contains >>> information which may be >>> confidential. >>> If you are not the intended recipient please advise the sender by return >>> email, do not use or >>> disclose the contents, and delete the message and any attachments from >>> your system. Unless >>> specifically indicated, this email does not constitute formal advice or >>> commitment by the sender >>> or the Commonwealth Bank of Australia (ABN 48 123 123 124 AFSL and >>> Australian credit licence 234945) >>> or its subsidiaries. >>> We can be contacted through our web site: commbank.com.au. >>> If you no longer wish to receive commercial electronic messages from us, >>> please reply to this >>> e-mail by typing Unsubscribe in the subject line. >>> ************************************************************** >>> >>
