ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jonathan Hurley" <jhur...@hortonworks.com>
Subject Re: Review Request 38985: Add security-related HTTP headers to Views to keep Ambari up to date with best-practices
Date Mon, 05 Oct 2015 15:29:38 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/38985/#review101479
-----------------------------------------------------------

Ship it!


Ship It!

- Jonathan Hurley


On Oct. 4, 2015, 5:34 p.m., Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/38985/
> -----------------------------------------------------------
> 
> (Updated Oct. 4, 2015, 5:34 p.m.)
> 
> 
> Review request for Ambari, Jonathan Hurley, Mahadev Konar, Myroslav Papirkovskyy, and
Sumit Mohanty.
> 
> 
> Bugs: AMBARI-13304
>     https://issues.apache.org/jira/browse/AMBARI-13304
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Add security-related HTTP headers to *Views* to keep Ambari up to date with best-practices.

> * Strict-Transport-Security
> * X-Frame-Options
> * X-XSS-Protection
> 
> These headers should be configurable via the ambari.properties such that they may be
turned on or off - and set to some custom value.
> 
> The default value for this headers should be as follows:
> * Strict-Transport-Security: max-age=31536000
> * X-Frame-Options: DENY
> * X-XSS-Protection: 1; mode=block
> 
> Strict-Transport-Security should only be turned on if SSL is enabled.
> 
> The relevant Ambari properties should be:
> * Strict-Transport-Security: http.strict-transport-security
> * X-Frame-Options: http.x-frame-options
> * X-XSS-Protection: http.x-xss-protection
> 
> By setting any of these to be empty, the header is to be turned off (or not set).
> 
> For example:
> # Sets Strict-Transport-Security to a custom value}
> ```
> http.strict-transport-security=max-age=31536000; includeSubDomains
> ```
> 
> # Turns Strict-Transport-Security off}
> ```
> http.strict-transport-security=
> ```
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariHandlerList.java
d1a7fde 
>   ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariHandlerListTest.java
03bf6c4 
> 
> Diff: https://reviews.apache.org/r/38985/diff/
> 
> 
> Testing
> -------
> 
> Manually tested
> 
> # Local test results
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 53:25.938s
> [INFO] Finished at: Sun Oct 04 10:14:39 EDT 2015
> [INFO] Final Memory: 67M/1468M
> [INFO] ------------------------------------------------------------------------
> 
> #Jenkins test results: 
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 01:20 h
> [INFO] Finished at: 2015-10-04T17:25:15+00:00
> [INFO] Final Memory: 47M/614M
> [INFO] ------------------------------------------------------------------------
> 
> 
> Thanks,
> 
> Robert Levas
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message