Description
As of today, YARN web-ui lacks certain security related http response headers. We are planning to add few default ones and also add support for headers to be able to get added via xml config. Planning to make the below two as default.
- X-XSS-Protection: 1; mode=block
- X-Content-Type-Options: nosniff
Support for headers via config properties in core-site.xml will be along the below lines
<property> <name>hadoop.http.header.Strict-Transport-Security</name> <value>valHSTSFromXML</value> </property>
In the above example, valHSTSFromXML is an example value, this should be configured according to the security requirements.
With this Jira, users can set required headers by prefixing HTTP header with hadoop.http.header. and configure with the required value in their core-site.xml.
Example:
<property> <name>hadoop.http.header.http-header</name> <value>http-header-value</value> </property>
A regex matcher will lift these properties and add into the response header when Jetty prepares the response.
Attachments
Attachments
Issue Links
- relates to
-
HBASE-23303 Add security headers to REST server/info page
- Resolved
-
YARN-11661 Adding new property to configure the "SameSite" cookie attribute on YARN UI
- Resolved