[AMBARI-13304] Add security-related HTTP headers to Views to keep Ambari up to date with best-practices - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.7.0
Fix Version/s: 2.3.0, 2.0.3, 2.2.0
Component/s: ambari-server
Labels:
None

Description

Add security-related HTTP headers to Views to keep Ambari up to date with best-practices.

Strict-Transport-Security
X-Frame-Options
X-XSS-Protection

These headers should be configurable via the ambari.properties such that they may be turned on or off - and set to some custom value.

The default value for this headers should be as follows:

Strict-Transport-Security: max-age=31536000
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

Strict-Transport-Security should only be turned on if SSL is enabled.

The relevant Ambari properties should be:

Strict-Transport-Security: http.strict-transport-security
X-Frame-Options: http.x-frame-options
X-XSS-Protection: http.x-xss-protection

By setting any of these to be empty, the header is to be turned off (or not set).

For example:

Sets Strict-Transport-Security to a custom value

http.strict-transport-security=max-age=31536000; includeSubDomains

Turns Strict-Transport-Security off

http.strict-transport-security=

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

AMBARI-13304_branch-2.0.maint_01.patch
04/Oct/15 12:10
5 kB
Robert Levas
AMBARI-13304_branch-2.1_01.patch
04/Oct/15 14:21
5 kB
Robert Levas
AMBARI-13304_trunk_01.patch
04/Oct/15 14:22
5 kB
Robert Levas

Activity

People

Assignee:: Robert Levas

Reporter:: Robert Levas

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 03/Oct/15 11:49

Updated:: 07/Oct/15 12:07

Resolved:: 07/Oct/15 12:07