Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-12691

Add CSRF Filter for REST APIs to Hadoop Common

    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 2.8.0, 3.0.0-alpha1
    • security
    • None
    • Reviewed

    Description

      CSRF prevention for REST APIs can be provided through a common servlet filter. This filter would check for the existence of an expected (configurable) HTTP header - such as X-XSRF-Header.

      The fact that CSRF attacks are entirely browser based means that the above approach can ensure that requests are coming from either: applications served by the same origin as the REST API or that there is explicit policy configuration that allows the setting of a header on XmlHttpRequest from another origin.

      Attachments

        1. HADOOP-12691-003.patch
          15 kB
          Larry McCay
        2. HADOOP-12691-002.patch
          14 kB
          Larry McCay
        3. HADOOP-12691-001.patch
          14 kB
          Larry McCay
        4. CSRFProtectionforRESTAPIs.pdf
          111 kB
          Larry McCay

        Issue Links

          Activity

            People

              lmccay Larry McCay
              lmccay Larry McCay
              Votes:
              0 Vote for this issue
              Watchers:
              14 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: