Vulnerability scanners suggest that the following extra headers should be added to both Info/Rest server endpoints which are exposed by hbase-rest project.
- X-Frame-Options: SAMEORIGIN
- X-Xss-Protection: 1; mode=block
- X-Content-Type-Options: nosniff
- Strict-Transport-Security: “max-age=63072000;includeSubDomains;preload”
- Content-Security-Policy: default-src https: data: 'unsafe-inline' 'unsafe-eval'
Info server already has "X-Frame-Options: DENY" which is more restrictive than "SAMEORIGIN", so it's probably fine. All of three headers are missing from REST responses.
I'll put together a patch to resolve this.