Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-13304

Add security-related HTTP headers to Views to keep Ambari up to date with best-practices

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.7.0
    • 2.3.0, 2.0.3, 2.2.0
    • ambari-server
    • None

    Description

      Add security-related HTTP headers to Views to keep Ambari up to date with best-practices.

      • Strict-Transport-Security
      • X-Frame-Options
      • X-XSS-Protection

      These headers should be configurable via the ambari.properties such that they may be turned on or off - and set to some custom value.

      The default value for this headers should be as follows:

      • Strict-Transport-Security: max-age=31536000
      • X-Frame-Options: DENY
      • X-XSS-Protection: 1; mode=block

      Strict-Transport-Security should only be turned on if SSL is enabled.

      The relevant Ambari properties should be:

      • Strict-Transport-Security: http.strict-transport-security
      • X-Frame-Options: http.x-frame-options
      • X-XSS-Protection: http.x-xss-protection

      By setting any of these to be empty, the header is to be turned off (or not set).

      For example:

      Sets Strict-Transport-Security to a custom value
      http.strict-transport-security=max-age=31536000; includeSubDomains
      
      Turns Strict-Transport-Security off
      http.strict-transport-security=
      

      Attachments

        1. AMBARI-13304_branch-2.0.maint_01.patch
          5 kB
          Robert Levas
        2. AMBARI-13304_branch-2.1_01.patch
          5 kB
          Robert Levas
        3. AMBARI-13304_trunk_01.patch
          5 kB
          Robert Levas

        Activity

          People

            rlevas Robert Levas
            rlevas Robert Levas
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: