Uploaded image for project: 'Zeppelin'
  1. Zeppelin
  2. ZEPPELIN-4723

Configure Security Features in Zeppelin to be enabled by default

Agile BoardAttach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 0.8.2
    • Fix Version/s: 0.9.0
    • Component/s: zeppelin-web
    • Labels:

      Description

      Zeppelin being a notebook has gained popularity among Data Scientists who are not necessarily also information security savvy. They usually deploy Zeppelin with default configuration options which doesn't enable the common web application security headers by default, e.g. zeppelin.server.xframe.options,  zeppelin.server.strict.transport, zeppelin.server.xxss.protection, zeppelin.server.jetty.name, zeppelin.server.xcontent.type.options documented here. This leaves the Zeppelin installation vulnerable.

      In recent times, Zeppelin installations are taking flak over these missing security headers from Internal Security teams and External Auditors who are not aware of these features being already available. Also, as software community is moving towards privacy-by-design and compliance-as-code, expectation of secure by design doesn't look out of the place. This Jira's intention is to enable all above HTTP response headers by default.

        Attachments

          Activity

            People

            • Assignee:
              kpandey Krishna Pandey
              Reporter:
              kpandey Krishna Pandey

              Dates

              • Created:
                Updated:
                Resolved:

              Time Tracking

              Estimated:
              Original Estimate - Not Specified
              Not Specified
              Remaining:
              Remaining Estimate - 0h
              0h
              Logged:
              Time Spent - 2h 10m
              2h 10m

                Issue deployment