[ZEPPELIN-4723] Enable HTTP security headers by default #3716
Conversation
|
@prabhjyotsingh @jongyoul @Leemoonsoo @zjffdu |
alexott
left a comment
alexott
left a comment
There was a problem hiding this comment.
From first look, it could be ok, but we need to test. Please configure travis & do the build.
Also, we need to update documentation about uncommented properties to say that they are on by default.
|
@alexott It's happening as we speak at https://travis-ci.org/github/krishna-pandey/zeppelin/builds/670946421, also I will verify locally. Thanks. |
|
Great! Thank you! |
|
@alexott made the suggested changes, please review. Thanks. |
|
@krishna-pandey it looks good for me, but the question is following - we updated template for configuration, not configuration itself. If user will just download & unpack, these changes won't be applicable, because @prabhjyotsingh WDYT? |
|
Agree with @alexott We should update |
I would love to see this in Zeppelin. Of course this should be off in default. Can we completely suppress the |
|
I think that we can create a followup ticket for HSTS - usually the introduction of TLS will require special build instructions, or pre-generated keys/certificates (bad idea)... |
|
Updated ZeppelinConfiguration with default values as suggested. Verified the same reflecting locally in absence of zeppelin-site.xml and zeppelin-env.sh. |
|
Also, Travis just finished running tests and build passed with last commit. (https://travis-ci.org/github/krishna-pandey/zeppelin/builds/671511015) |
### What is this PR for? Zeppelin when installed with default configuration options doesn't enable the common web application security headers, e.g. zeppelin.server.xframe.options, zeppelin.server.xxss.protection, zeppelin.server.jetty.name, zeppelin.server.xcontent.type.options. This leaves the Zeppelin installation vulnerable. ### What type of PR is it? Improvement ### Todos * Discuss HSTS header config (zeppelin.server.strict.transport) which if enabled requires TLS to be configured for Zeppelin to work ### What is the Jira issue? * [ZEPPELIN-4723](https://issues.apache.org/jira/browse/ZEPPELIN-4723) ### How should this be tested? * Below headers can be verified with received HTTP response Server: X-Content-Type-Options: nosniff X-FRAME-OPTIONS: SAMEORIGIN X-XSS-Protection: 1; mode=block Here is Travis test run link which passed: https://travis-ci.org/github/krishna-pandey/zeppelin/builds/670946421 ### Questions: * Does the licenses files need update? No * Is there breaking changes for older versions? No * Does this needs documentation? No Author: Krishna Pandey <[email protected]> Closes #3716 from krishna-pandey/ZEPPELIN-4723 and squashes the following commits: afde17f [Krishna Pandey] Added default config values 01d3040 [Krishna Pandey] Added documentation for enabled headers with default values f7578ad [Krishna Pandey] removed HSTS header, requires TLS config for Zeppelin to start 6fbd30e [Krishna Pandey] Enable HTTP security headers by default (cherry picked from commit 8952b27) Signed-off-by: Alex Ott <[email protected]>
5 participants
What is this PR for?
Zeppelin when installed with default configuration options doesn't enable the common web application security headers, e.g. zeppelin.server.xframe.options, zeppelin.server.xxss.protection, zeppelin.server.jetty.name, zeppelin.server.xcontent.type.options. This leaves the Zeppelin installation vulnerable.
What type of PR is it?
Improvement
Todos
What is the Jira issue?
How should this be tested?
Server:
X-Content-Type-Options: nosniff
X-FRAME-OPTIONS: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Here is Travis test run link which passed: https://travis-ci.org/github/krishna-pandey/zeppelin/builds/670946421
Questions: