[AMBARI-13278] Add security-related HTTP headers to keep Ambari up to date with best-practices - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.7.0
Fix Version/s: 2.3.0, 2.0.3, 2.2.0
Component/s: ambari-server
Labels:
None

Description

Add security-related HTTP headers to keep Ambari up to date with best-practices.

Strict-Transport-Security
X-Frame-Options
X-XSS-Protection

These headers should be configurable via the ambari.properties such that they may be turned on or off - and set to some custom value.

The default value for this headers should be as follows:

Strict-Transport-Security: max-age=31536000
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

Strict-Transport-Security should only be turned on if SSL is enabled.

The relevant Ambari properties should be:

Strict-Transport-Security: http.strict-transport-security
X-Frame-Options: http.x-frame-options
X-XSS-Protection: http.x-xss-protection

By setting any of these to be empty, the header is to be turned off (or not set).

For example:

Sets Strict-Transport-Security to a custom value

http.strict-transport-security=max-age=31536000; includeSubDomains

Turns Strict-Transport-Security off

http.strict-transport-security=

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

AMBARI-13278_branch-2.0.maint_02.patch
01/Oct/15 17:57
24 kB
Robert Levas
AMBARI-13278_trunk_01.patch
30/Sep/15 20:07
25 kB
Robert Levas
AMBARI-13278_branch-2.1_01.patch
30/Sep/15 20:07
24 kB
Robert Levas
AMBARI-13278_branch-2.0.maint_01.patch
30/Sep/15 20:07
24 kB
Robert Levas

Issue Links

links to

Activity

People

Assignee:: Robert Levas

Reporter:: Robert Levas

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 30/Sep/15 16:51

Updated:: 01/Oct/15 21:31

Resolved:: 01/Oct/15 18:53