Return-Path: X-Original-To: apmail-ambari-dev-archive@www.apache.org Delivered-To: apmail-ambari-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 03E781774D for ; Wed, 7 Oct 2015 11:41:27 +0000 (UTC) Received: (qmail 89693 invoked by uid 500); 7 Oct 2015 11:41:26 -0000 Delivered-To: apmail-ambari-dev-archive@ambari.apache.org Received: (qmail 89654 invoked by uid 500); 7 Oct 2015 11:41:26 -0000 Mailing-List: contact dev-help@ambari.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ambari.apache.org Delivered-To: mailing list dev@ambari.apache.org Received: (qmail 89638 invoked by uid 99); 7 Oct 2015 11:41:26 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 07 Oct 2015 11:41:26 +0000 Date: Wed, 7 Oct 2015 11:41:26 +0000 (UTC) From: "Hudson (JIRA)" To: dev@ambari.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (AMBARI-13304) Add security-related HTTP headers to Views to keep Ambari up to date with best-practices MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/AMBARI-13304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14946717#comment-14946717 ] Hudson commented on AMBARI-13304: --------------------------------- FAILURE: Integrated in Ambari-branch-2.1 #646 (See [https://builds.apache.org/job/Ambari-branch-2.1/646/]) AMBARI-13304. Add security-related HTTP headers to Views to keep Ambari (rlevas: [http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=5f853b571f0cfbe2122d083b8f7632ce8d8b809f]) * ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariHandlerListTest.java * ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariHandlerList.java > Add security-related HTTP headers to Views to keep Ambari up to date with best-practices > ---------------------------------------------------------------------------------------- > > Key: AMBARI-13304 > URL: https://issues.apache.org/jira/browse/AMBARI-13304 > Project: Ambari > Issue Type: Bug > Components: ambari-server > Affects Versions: 1.7.0 > Reporter: Robert Levas > Assignee: Robert Levas > Fix For: 2.2.0, 2.0.3, 2.1.3 > > Attachments: AMBARI-13304_branch-2.0.maint_01.patch, AMBARI-13304_branch-2.1_01.patch, AMBARI-13304_trunk_01.patch > > > Add security-related HTTP headers to Views to keep Ambari up to date with best-practices. > * Strict-Transport-Security > * X-Frame-Options > * X-XSS-Protection > These headers should be configurable via the ambari.properties such that they may be turned on or off - and set to some custom value. > The default value for this headers should be as follows: > * Strict-Transport-Security: max-age=31536000 > * X-Frame-Options: DENY > * X-XSS-Protection: 1; mode=block > Strict-Transport-Security should only be turned on if SSL is enabled. > The relevant Ambari properties should be: > * Strict-Transport-Security: http.strict-transport-security > * X-Frame-Options: http.x-frame-options > * X-XSS-Protection: http.x-xss-protection > By setting any of these to be empty, the header is to be turned off (or not set). > For example: > {code:title=Sets Strict-Transport-Security to a custom value} > http.strict-transport-security=max-age=31536000; includeSubDomains > {code} > {code:title=Turns Strict-Transport-Security off} > http.strict-transport-security= > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)