ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas (JIRA)" <j...@apache.org>
Subject [jira] [Created] (AMBARI-13278) Add security-related HTTP headers to keep Ambari up to date with best-practices
Date Wed, 30 Sep 2015 16:52:04 GMT
Robert Levas created AMBARI-13278:
-------------------------------------

             Summary: Add security-related HTTP headers to keep Ambari up to date with best-practices
                 Key: AMBARI-13278
                 URL: https://issues.apache.org/jira/browse/AMBARI-13278
             Project: Ambari
          Issue Type: Bug
          Components: ambari-server
    Affects Versions: 1.7.0
            Reporter: Robert Levas
            Assignee: Robert Levas
             Fix For: 2.2.0, 2.0.3, 2.1.3


Add security-related HTTP headers to keep Ambari up to date with best-practices. 
* Strict-Transport-Security
* X-Frame-Options
* X-XSS-Protection

These headers should be configurable via the ambari.properties such that they may be turned
on or off - and set to some custom value.

The default value for this headers should be as follows:
* Strict-Transport-Security: max-age=31536000
* X-Frame-Options: DENY
* X-XSS-Protection: 1; mode=block

Strict-Transport-Security should only be turned on if SSL is enabled.

The relevant Ambari properties should be:
* Strict-Transport-Security: http.strict-transport-security
* X-Frame-Options: http.x-frame-options
* X-XSS-Protection: http.x-xss-protection

By setting any of these to be empty, the header is to be turned off (or not set).

For example:
{code:title=Sets Strict-Transport-Security to a custom value}
http.strict-transport-security=max-age=31536000; includeSubDomains
{code}

{code:title=Turns Strict-Transport-Security off}
http.strict-transport-security=
{code}




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message