spark-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Krishna Pandey (JIRA)" <j...@apache.org>
Subject [jira] [Created] (SPARK-22188) Add defense against Cross-Site Scripting, MIME-sniffing and MitM attack
Date Tue, 03 Oct 2017 13:01:00 GMT
Krishna Pandey created SPARK-22188:
--------------------------------------

             Summary: Add defense against Cross-Site Scripting, MIME-sniffing and MitM attack
                 Key: SPARK-22188
                 URL: https://issues.apache.org/jira/browse/SPARK-22188
             Project: Spark
          Issue Type: Bug
          Components: Spark Core
    Affects Versions: 2.2.0
            Reporter: Krishna Pandey
            Priority: Critical


Below HTTP Response headers can be added to improve security.

The HTTP *Strict-Transport-Security* response header (often abbreviated as HSTS) is a security
feature that lets a web site tell browsers that it should only be communicated with using
HTTPS, instead of using HTTP.

*Note:* The Strict-Transport-Security header is ignored by the browser when your site is accessed
using HTTP; this is because an attacker may intercept HTTP connections and inject the header
or remove it. When your site is accessed over HTTPS with no certificate errors, the browser
knows your site is HTTPS capable and will honor the Strict-Transport-Security header.

*An example scenario*
You log into a free WiFi access point at an airport and start surfing the web, visiting your
online banking service to check your balance and pay a couple of bills. Unfortunately, the
access point you're using is actually a hacker's laptop, and they're intercepting your original
HTTP request and redirecting you to a clone of your bank's site instead of the real thing.
Now your private data is exposed to the hacker.
Strict Transport Security resolves this problem; as long as you've accessed your bank's web
site once using HTTPS, and the bank's web site uses Strict Transport Security, your browser
will know to automatically use only HTTPS, which prevents hackers from performing this sort
of man-in-the-middle attack.

*Syntax:*
Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload
Read more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

The HTTP *X-XSS-Protection* response header is a feature of Internet Explorer, Chrome and
Safari that stops pages from loading when they detect reflected cross-site scripting (XSS)
attacks.

*Syntax:*
X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=<reporting-uri>
Read more at http://sss.jjefwfmpqfs.pjnpajmmb.ljpsh.us3.gsr.awhoer.net/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

The HTTP *X-Content-Type-Options* response header is used to protect against MIME sniffing
vulnerabilities. These vulnerabilities can occur when a website allows users to upload content
to a website however the user disguises a particular file type as something else. This can
give them the opportunity to perform cross-site scripting and compromise the website. Read
more at https://www.keycdn.com/support/x-content-type-options/ and https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org


Mime
View raw message