apache · krishna-pandey · Apr 4, 2020 · Apr 4, 2020 · Apr 4, 2020 · Apr 6, 2020
diff --git a/conf/zeppelin-site.xml.template b/conf/zeppelin-site.xml.template
@@ -519,13 +519,11 @@
 </property>
 -->
 
-<!--
 <property>
     <name>zeppelin.server.jetty.name</name>
-    <value>Jetty(7.6.0.v20120127)</value>
+    <value> </value>
     <description>Hardcoding Application Server name to Prevent Fingerprinting</description>
 </property>
--->
 
 <!--
 <property>
@@ -565,13 +563,11 @@
 </property>
 -->
 
-<!--
 <property>
   <name>zeppelin.server.xframe.options</name>
   <value>SAMEORIGIN</value>
   <description>The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a frame/iframe/object.</description>
 </property>
--->
 
 <!--
 <property>
@@ -580,22 +576,18 @@
   <description>The HTTP Strict-Transport-Security response header is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. Enable this when Zeppelin is running on HTTPS. Value is in Seconds, the default value is equivalent to 20 years.</description>
 </property>
 -->
-<!--
 
 <property>
   <name>zeppelin.server.xxss.protection</name>
-  <value>1</value>
+  <value>1; mode=block</value>
   <description>The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. When value is set to 1 and a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).</description>
 </property>
--->
 
-<!--
 <property>
   <name>zeppelin.server.xcontent.type.options</name>
   <value>nosniff</value>
   <description>The HTTP X-Content-Type-Options response header helps to prevent MIME type sniffing attacks. It directs the browser to honor the type specified in the Content-Type header, rather than trying to determine the type from the content itself. The default value "nosniff" is really the only meaningful value. This header is supported on all browsers except Safari and Safari on iOS.</description>
 </property>
--->
 
 <!--
 <property>

diff --git a/docs/setup/security/http_security_headers.md b/docs/setup/security/http_security_headers.md
@@ -53,7 +53,7 @@ Read more about HSTS [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/He
 
 The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari Web browsers that initiates configured action when they detect reflected cross-site scripting (XSS) attacks.
 
-The following property needs to be updated in the zeppelin-site.xml in order to set X-XSS-PROTECTION header. 
+The below property to set X-XSS-Protection header is enabled with default value of "1; mode=block" in the zeppelin-site.xml
 
 ```xml
 <property>
@@ -64,7 +64,7 @@ The following property needs to be updated in the zeppelin-site.xml in order to
 ```
 
 
-You can choose appropriate value from below.
+You can choose appropriate value from below to update the configuration if required.
 
 * 0  (Disables XSS filtering)
 * 1  (Enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page.)
@@ -76,7 +76,7 @@ Read more about HTTP X-XSS-Protection response header [here](https://developer.m
 
 The X-Frame-Options HTTP response header can indicate browser to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites in a `<frame>`,`<iframe>` or `<object>`.
 
-The following property needs to be updated in the zeppelin-site.xml in order to set X-Frame-Options header.
+The below property to set X-Frame-Options header is enabled with default value of "SAMEORIGIN" in the zeppelin-site.xml
 
 ```xml
 <property>
@@ -87,7 +87,7 @@ The following property needs to be updated in the zeppelin-site.xml in order to
 ```
 
 
-You can choose appropriate value from below.
+You can choose appropriate value from below to update the configuration if required.
 
 * `DENY`
 * `SAMEORIGIN`
@@ -97,7 +97,7 @@ You can choose appropriate value from below.
 
 The HTTP X-Content-Type-Options response header helps to prevent MIME type sniffing attacks. It directs the browser to honor the type specified in the Content-Type header, rather than trying to determine the type from the content itself. The default value `nosniff` is really the only meaningful value. This header is supported on all browsers except Safari and Safari on iOS.
 
-Zeppelin server will add this header to HTTP response by default. The following property needs to be updated in the zeppelin-site.xml in order to change X-Content-Type-Options header value.
+The below property to set X-Content-Type-Options header is enabled with default value of "nosniff" in the zeppelin-site.xml
 
 ```xml
 <property>
@@ -111,14 +111,14 @@ Zeppelin server will add this header to HTTP response by default. The following
 
 Security conscious organisations does not want to reveal the Application Server name and version to prevent finding this information easily by Attacker while fingerprinting the Application. The exact version number can tell an Attacker if the current Application Server is patched for or vulnerable to certain publicly known CVE associated to it.
 
-The following property needs to be updated in the zeppelin-site.xml in order to set Server header.
+The below property to mask Jetty server version is enabled by default and configured with value of " " (one whitespace char) in the zeppelin-site.xml
 
 ```xml
 <property>
     <name>zeppelin.server.jetty.name</name>
-    <value>Jetty(7.6.0.v20120127)</value>
+    <value> </value>
     <description>Hardcoding Application Server name to Prevent Fingerprinting</description>
 </property>
 ```
 
-The value can be any "String".
+The value can be any "String". Removing this property from configuration will cause Zeppelin to send correct Jetty server version.
diff --git a/zeppelin-interpreter/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java b/zeppelin-interpreter/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
@@ -944,14 +944,14 @@ public enum ConfVars {
     ZEPPELIN_WEBSOCKET_MAX_TEXT_MESSAGE_SIZE("zeppelin.websocket.max.text.message.size", "10240000"),
     ZEPPELIN_SERVER_DEFAULT_DIR_ALLOWED("zeppelin.server.default.dir.allowed", false),
     ZEPPELIN_SERVER_XFRAME_OPTIONS("zeppelin.server.xframe.options", "SAMEORIGIN"),
-    ZEPPELIN_SERVER_JETTY_NAME("zeppelin.server.jetty.name", null),
+    ZEPPELIN_SERVER_JETTY_NAME("zeppelin.server.jetty.name", " "),
     ZEPPELIN_SERVER_JETTY_THREAD_POOL_MAX("zeppelin.server.jetty.thread.pool.max", 400),
     ZEPPELIN_SERVER_JETTY_THREAD_POOL_MIN("zeppelin.server.jetty.thread.pool.min", 8),
     ZEPPELIN_SERVER_JETTY_THREAD_POOL_TIMEOUT("zeppelin.server.jetty.thread.pool.timeout", 30),
     ZEPPELIN_SERVER_JETTY_REQUEST_HEADER_SIZE("zeppelin.server.jetty.request.header.size", 8192),
     ZEPPELIN_SERVER_AUTHORIZATION_HEADER_CLEAR("zeppelin.server.authorization.header.clear", true),
     ZEPPELIN_SERVER_STRICT_TRANSPORT("zeppelin.server.strict.transport", "max-age=631138519"),
-    ZEPPELIN_SERVER_X_XSS_PROTECTION("zeppelin.server.xxss.protection", "1"),
+    ZEPPELIN_SERVER_X_XSS_PROTECTION("zeppelin.server.xxss.protection", "1; mode=block"),
     ZEPPELIN_SERVER_X_CONTENT_TYPE_OPTIONS("zeppelin.server.xcontent.type.options", "nosniff"),
 
     ZEPPELIN_SERVER_KERBEROS_KEYTAB("zeppelin.server.kerberos.keytab", ""),