Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.7.0
-
None
Description
Add security-related HTTP headers to Views to keep Ambari up to date with best-practices.
- Strict-Transport-Security
- X-Frame-Options
- X-XSS-Protection
These headers should be configurable via the ambari.properties such that they may be turned on or off - and set to some custom value.
The default value for this headers should be as follows:
- Strict-Transport-Security: max-age=31536000
- X-Frame-Options: DENY
- X-XSS-Protection: 1; mode=block
Strict-Transport-Security should only be turned on if SSL is enabled.
The relevant Ambari properties should be:
- Strict-Transport-Security: http.strict-transport-security
- X-Frame-Options: http.x-frame-options
- X-XSS-Protection: http.x-xss-protection
By setting any of these to be empty, the header is to be turned off (or not set).
For example:
Sets Strict-Transport-Security to a custom value
http.strict-transport-security=max-age=31536000; includeSubDomains
Turns Strict-Transport-Security off
http.strict-transport-security=