[HBASE-23303] Add security headers to REST server/info page - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.0.0-alpha-1, 2.0.6, 2.1.7, 2.2.2
Fix Version/s: 2.5.0, 3.0.0-alpha-3, 2.4.11
Component/s: REST
Labels:
None

Description

Vulnerability scanners suggest that the following extra headers should be added to both Info/Rest server endpoints which are exposed by hbase-rest project.

X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: “max-age=63072000;includeSubDomains;preload”
Content-Security-Policy: default-src https: data: 'unsafe-inline' 'unsafe-eval'

Info server already has "X-Frame-Options: DENY" which is more restrictive than "SAMEORIGIN", so it's probably fine. All of three headers are missing from REST responses.

I'll put together a patch to resolve this.

Attachments

Issue Links

is related to

HADOOP-15457 Add Security-Related HTTP Response Header in WEBUIs.

Resolved

HBASE-26789 Automatically add default security headers to http/rest if SSL enabled

Resolved

relates to

HBASE-27118 Add security headers to Thrift/HTTP server

Open

links to

GitHub Pull Request #843

GitHub Pull Request #4128

Activity

People

Assignee:: Andor Molnar

Reporter:: Andor Molnar

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 15/Nov/19 14:46

Updated:: 01/Sep/22 10:57

Resolved:: 08/Dec/19 13:51