Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
3.0.0-alpha-1, 2.0.6, 2.1.7, 2.2.2
-
None
Description
Vulnerability scanners suggest that the following extra headers should be added to both Info/Rest server endpoints which are exposed by hbase-rest project.
- X-Frame-Options: SAMEORIGIN
- X-Xss-Protection: 1; mode=block
- X-Content-Type-Options: nosniff
- Strict-Transport-Security: “max-age=63072000;includeSubDomains;preload”
- Content-Security-Policy: default-src https: data: 'unsafe-inline' 'unsafe-eval'
Info server already has "X-Frame-Options: DENY" which is more restrictive than "SAMEORIGIN", so it's probably fine. All of three headers are missing from REST responses.
I'll put together a patch to resolve this.
Attachments
Issue Links
- is related to
-
HADOOP-15457 Add Security-Related HTTP Response Header in WEBUIs.
- Resolved
-
HBASE-26789 Automatically add default security headers to http/rest if SSL enabled
- Resolved
- relates to
-
HBASE-27118 Add security headers to Thrift/HTTP server
- Open
- links to