apache · brfrn169 · Dec 8, 2019 · Nov 15, 2019 · Nov 15, 2019 · Nov 18, 2019
diff --git a/hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java b/hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java
@@ -597,9 +597,12 @@ private void initializeWebServer(String name, String hostName,
 
     addGlobalFilter("safety", QuotingInputFilter.class.getName(), null);
     Map<String, String> params = new HashMap<>();
-    params.put("xframeoptions", conf.get("hbase.http.filter.xframeoptions.mode", "DENY"));
-    addGlobalFilter("clickjackingprevention",
-            ClickjackingPreventionFilter.class.getName(), params);
+    params.put("xframeoptions", conf.get("hbase.http.filter.xframeoptions.mode",
+        "DENY"));
+    params.put("hsts", conf.get("hbase.http.filter.hsts.value",
+        "max-age=31536000"));
+    addGlobalFilter("securityheaders",
+            SecurityHeadersFilter.class.getName(), params);
     final FilterInitializer[] initializers = getFilterInitializers(conf);
     if (initializers != null) {
       conf = new Configuration(conf);

diff --git a/...se/http/ClickjackingPreventionFilter.java → ...oop/hbase/http/SecurityHeadersFilter.java b/...se/http/ClickjackingPreventionFilter.java → ...oop/hbase/http/SecurityHeadersFilter.java
@@ -6,19 +6,19 @@
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+
 package org.apache.hadoop.hbase.http;
 
 import java.io.IOException;
-
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
 import javax.servlet.FilterConfig;
@@ -28,24 +28,33 @@
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.hadoop.hbase.HBaseInterfaceAudience;
-
 import org.apache.yetus.audience.InterfaceAudience;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 @InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.CONFIG)
-public class ClickjackingPreventionFilter implements Filter {
+public class SecurityHeadersFilter implements Filter {
+  private static final Logger LOG =
+      LoggerFactory.getLogger(SecurityHeadersFilter.class);
   private FilterConfig filterConfig;
 
   @Override
   public void init(FilterConfig filterConfig) throws ServletException {
     this.filterConfig = filterConfig;
+    LOG.info("Added security headers filter");
   }
 
   @Override
-  public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
-        throws IOException, ServletException {
-    HttpServletResponse httpRes = (HttpServletResponse) res;
-    httpRes.addHeader("X-Frame-Options", filterConfig.getInitParameter("xframeoptions"));
-    chain.doFilter(req, res);
+  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+      throws IOException, ServletException {
+    HttpServletResponse httpResponse = (HttpServletResponse) response;
+    httpResponse.addHeader("X-Content-Type-Options", "nosniff");
+    httpResponse.addHeader("X-XSS-Protection", "1; mode=block");
+    httpResponse.addHeader("X-Frame-Options",
+        filterConfig.getInitParameter("xframeoptions"));
+    httpResponse.addHeader("Strict-Transport-Security",
+        filterConfig.getInitParameter("hsts"));
+    chain.doFilter(request, response);
   }
 
   @Override

diff --git a/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/RESTServer.java b/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/RESTServer.java
@@ -20,13 +20,15 @@
 
 import java.lang.management.ManagementFactory;
 import java.util.ArrayList;
+import java.util.EnumSet;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.EnumSet;
 import java.util.concurrent.ArrayBlockingQueue;
 
 import com.fasterxml.jackson.jaxrs.json.JacksonJaxbJsonProvider;
 import org.apache.commons.lang3.ArrayUtils;
+import org.apache.hadoop.hbase.http.SecurityHeadersFilter;
 import org.apache.yetus.audience.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hbase.HBaseConfiguration;
@@ -137,6 +139,19 @@ void addCSRFFilter(ServletContextHandler ctxHandler, Configuration conf) {
     }
   }
 
+  private void addSecurityHeadersFilter(ServletContextHandler ctxHandler, Configuration conf) {
+    FilterHolder holder = new FilterHolder();
+    holder.setName("security");
+    holder.setClassName(SecurityHeadersFilter.class.getName());
+    Map<String, String> params = new HashMap<>();
+    params.put("xframeoptions", conf.get("hbase.http.filter.xframeoptions.mode",
+        "DENY"));
+    params.put("hsts", conf.get("hbase.http.filter.hsts.value",
+        "max-age=31536000"));
+    holder.setInitParameters(params);
+    ctxHandler.addFilter(holder, PATH_SPEC_ANY, EnumSet.allOf(DispatcherType.class));
+  }
+
   // login the server principal (if using secure Hadoop)
   private static Pair<FilterHolder, Class<? extends ServletContainer>> loginServerPrincipal(
     UserProvider userProvider, Configuration conf) throws Exception {
@@ -349,6 +364,7 @@ public synchronized void run() throws Exception {
       ctxHandler.addFilter(filter, PATH_SPEC_ANY, EnumSet.of(DispatcherType.REQUEST));
     }
     addCSRFFilter(ctxHandler, conf);
+    addSecurityHeadersFilter(ctxHandler, conf);
     HttpServerUtil.constrainHttpMethods(ctxHandler, servlet.getConfiguration()
         .getBoolean(REST_HTTP_ALLOW_OPTIONS_METHOD, REST_HTTP_ALLOW_OPTIONS_METHOD_DEFAULT));