ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas" <rle...@hortonworks.com>
Subject Review Request 38905: Add security-related HTTP headers to keep Ambari up to date with best-practices
Date Wed, 30 Sep 2015 20:51:14 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/38905/
-----------------------------------------------------------

Review request for Ambari, Myroslav Papirkovskyy, Sid Wagle, and Vitalyi Brodetskyi.


Bugs: AMBARI-13278
    https://issues.apache.org/jira/browse/AMBARI-13278


Repository: ambari


Description
-------

Add security-related HTTP headers to keep Ambari up to date with best-practices. 
* Strict-Transport-Security
* X-Frame-Options
* X-XSS-Protection

These headers should be configurable via the ambari.properties such that they may be turned
on or off - and set to some custom value.

The default value for this headers should be as follows:
* Strict-Transport-Security: max-age=31536000
* X-Frame-Options: DENY
* X-XSS-Protection: 1; mode=block

Strict-Transport-Security should only be turned on if SSL is enabled.

The relevant Ambari properties should be:
* Strict-Transport-Security: http.strict-transport-security
* X-Frame-Options: http.x-frame-options
* X-XSS-Protection: http.x-xss-protection

By setting any of these to be empty, the header is to be turned off (or not set).

For example:
# Sets Strict-Transport-Security to a custom value
```
http.strict-transport-security=max-age=31536000; includeSubDomains
```
# Turns Strict-Transport-Security off}
```
http.strict-transport-security=
```


Diffs
-----

  ambari-server/conf/unix/ambari.properties 75e0fe1 
  ambari-server/conf/windows/ambari.properties a6a5aac 
  ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java e3686ac

  ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 3c598db

  ambari-server/src/main/java/org/apache/ambari/server/security/SecurityHeaderFilter.java
PRE-CREATION 
  ambari-server/src/test/java/org/apache/ambari/server/security/SecurityHeaderFilterTest.java
PRE-CREATION 

Diff: https://reviews.apache.org/r/38905/diff/


Testing
-------

Manually tested to see headers in response

# Local test results: PASSED

# Jenkins test results: PENDING


Thanks,

Robert Levas


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message