Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-23303

Add security headers to REST server/info page

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.0, 2.0.6, 2.1.7, 2.2.2
    • Fix Version/s: 3.0.0, 2.3.0, 2.2.3, 2.1.9
    • Component/s: REST
    • Labels:
      None

      Description

      Vulnerability scanners suggest that the following extra headers should be added to both Info/Rest server endpoints which are exposed by hbase-rest project.

      • X-Frame-Options: SAMEORIGIN
      • X-Xss-Protection: 1; mode=block
      • X-Content-Type-Options: nosniff
      • Strict-Transport-Security: “max-age=63072000;includeSubDomains;preload”
      • Content-Security-Policy: default-src https: data: 'unsafe-inline' 'unsafe-eval'

      Info server already has "X-Frame-Options: DENY" which is more restrictive than "SAMEORIGIN", so it's probably fine. All of three headers are missing from REST responses.

      I'll put together a patch to resolve this. 

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                andor Andor Molnar
                Reporter:
                andor Andor Molnar
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: