Uploaded image for project: 'Zeppelin'
  1. Zeppelin
  2. ZEPPELIN-4723

Configure Security Features in Zeppelin to be enabled by default

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 0.8.2
    • 0.9.0
    • zeppelin-web

    Description

      Zeppelin being a notebook has gained popularity among Data Scientists who are not necessarily also information security savvy. They usually deploy Zeppelin with default configuration options which doesn't enable the common web application security headers by default, e.g. zeppelin.server.xframe.options,  zeppelin.server.strict.transport, zeppelin.server.xxss.protection, zeppelin.server.jetty.name, zeppelin.server.xcontent.type.options documented here. This leaves the Zeppelin installation vulnerable.

      In recent times, Zeppelin installations are taking flak over these missing security headers from Internal Security teams and External Auditors who are not aware of these features being already available. Also, as software community is moving towards privacy-by-design and compliance-as-code, expectation of secure by design doesn't look out of the place. This Jira's intention is to enable all above HTTP response headers by default.

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            kpandey Krishna Pandey
            kpandey Krishna Pandey
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 2h 10m
                2h 10m

                Issue deployment