Uploaded image for project: 'Zeppelin'
  1. Zeppelin
  2. ZEPPELIN-4723

Configure Security Features in Zeppelin to be enabled by default

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 0.8.2
    • Fix Version/s: 0.9.0
    • Component/s: zeppelin-web
    • Labels:

      Description

      Zeppelin being a notebook has gained popularity among Data Scientists who are not necessarily also information security savvy. They usually deploy Zeppelin with default configuration options which doesn't enable the common web application security headers by default, e.g. zeppelin.server.xframe.options,  zeppelin.server.strict.transport, zeppelin.server.xxss.protection, zeppelin.server.jetty.name, zeppelin.server.xcontent.type.options documented here. This leaves the Zeppelin installation vulnerable.

      In recent times, Zeppelin installations are taking flak over these missing security headers from Internal Security teams and External Auditors who are not aware of these features being already available. Also, as software community is moving towards privacy-by-design and compliance-as-code, expectation of secure by design doesn't look out of the place. This Jira's intention is to enable all above HTTP response headers by default.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                kpandey Krishna Pandey
                Reporter:
                kpandey Krishna Pandey
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 2h 10m
                  2h 10m