Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.2.0, 1.3.0, 2.0.0
    • Component/s: security, UI
    • Labels:
      None
    • Release Note:
      Hide
      Security fix: Adds protection from clickjacking using X-Frame-Options header.
      This will prevent use of HBase UI in frames. To disable this feature, set the configuration 'hbase.http.filter.xframeoptions.mode' to 'ALLOW' (default is 'DENY').
      Show
      Security fix: Adds protection from clickjacking using X-Frame-Options header. This will prevent use of HBase UI in frames. To disable this feature, set the configuration 'hbase.http.filter.xframeoptions.mode' to 'ALLOW' (default is 'DENY').

      Description

      The web UIs do not include the "X-Frame-Options" header to prevent the pages from being framed from another site.

      Reference:
      https://www.owasp.org/index.php/Clickjacking
      https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
      https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

        Attachments

        1. HBASE-14148-v3-master.patch
          11 kB
          Appy
        2. HBASE-14148-v2-master.patch
          10 kB
          Appy
        3. HBASE-14148-master.patch
          8 kB
          Appy
        4. HBASE-14148-cleanroom.3.patch
          6 kB
          Gabor Liptak
        5. HBASE-14148-cleanroom.2.patch
          6 kB
          Gabor Liptak
        6. HBASE-14148-cleanroom.1.patch
          5 kB
          Gabor Liptak

          Activity

            People

            • Assignee:
              gliptak Gabor Liptak
              Reporter:
              appy Appy
            • Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: