Mailing-List: contact dev-help@ambari.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@ambari.apache.org
Content-Type: multipart/alternative;
 boundary="===============5144942938130130186=="
MIME-Version: 1.0
Subject: Re: Review Request 38905: Add security-related HTTP headers to keep
 Ambari up to date with best-practices
From: "Myroslav Papirkovskyy" <mpapyrkovskyy@hortonworks.com>
To: "Myroslav Papirkovskyy" <mpapyrkovskyy@hortonworks.com>,
 "Sid Wagle" <swagle@hortonworks.com>,
 "Vitalyi Brodetskyi" <vbrodetskyi@hortonworks.com>
Cc: "Robert Levas" <rlevas@hortonworks.com>, "Ambari" <dev@ambari.apache.org>
Date: Thu, 01 Oct 2015 11:56:42 -0000
Message-ID: <20151001115642.1726.4430@reviews.apache.org>
Auto-Submitted: auto-generated
Sender: "Myroslav Papirkovskyy" <noreply@reviews.apache.org>
References: <20150930205114.23614.73317@reviews.apache.org>
In-Reply-To: <20150930205114.23614.73317@reviews.apache.org>
Reply-To: "Myroslav Papirkovskyy" <mpapyrkovskyy@hortonworks.com>

--===============5144942938130130186==
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/38905/#review101217
-----------------------------------------------------------

Ship it!


Ship It!

- Myroslav Papirkovskyy


On Вер. 30, 2015, 11:51 після полудня, Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/38905/
> -----------------------------------------------------------
> 
> (Updated Вер. 30, 2015, 11:51 після полудня)
> 
> 
> Review request for Ambari, Myroslav Papirkovskyy, Sid Wagle, and Vitalyi Brodetskyi.
> 
> 
> Bugs: AMBARI-13278
>     https://issues.apache.org/jira/browse/AMBARI-13278
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Add security-related HTTP headers to keep Ambari up to date with best-practices. 
> * Strict-Transport-Security
> * X-Frame-Options
> * X-XSS-Protection
> 
> These headers should be configurable via the ambari.properties such that they may be turned on or off - and set to some custom value.
> 
> The default value for this headers should be as follows:
> * Strict-Transport-Security: max-age=31536000
> * X-Frame-Options: DENY
> * X-XSS-Protection: 1; mode=block
> 
> Strict-Transport-Security should only be turned on if SSL is enabled.
> 
> The relevant Ambari properties should be:
> * Strict-Transport-Security: http.strict-transport-security
> * X-Frame-Options: http.x-frame-options
> * X-XSS-Protection: http.x-xss-protection
> 
> By setting any of these to be empty, the header is to be turned off (or not set).
> 
> For example:
> # Sets Strict-Transport-Security to a custom value
> ```
> http.strict-transport-security=max-age=31536000; includeSubDomains
> ```
> # Turns Strict-Transport-Security off}
> ```
> http.strict-transport-security=
> ```
> 
> 
> Diffs
> -----
> 
>   ambari-server/conf/unix/ambari.properties 75e0fe1 
>   ambari-server/conf/windows/ambari.properties a6a5aac 
>   ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java e3686ac 
>   ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 3c598db 
>   ambari-server/src/main/java/org/apache/ambari/server/security/SecurityHeaderFilter.java PRE-CREATION 
>   ambari-server/src/test/java/org/apache/ambari/server/security/SecurityHeaderFilterTest.java PRE-CREATION 
> 
> Diff: https://reviews.apache.org/r/38905/diff/
> 
> 
> Testing
> -------
> 
> Manually tested to see headers in response
> 
> # Local test results: PASSED
> 
> # Jenkins test results: PENDING
> 
> 
> Thanks,
> 
> Robert Levas
> 
>


--===============5144942938130130186==--