You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@spark.apache.org by "t oo (JIRA)" <ji...@apache.org> on 2018/06/10 23:13:00 UTC

[jira] [Created] (SPARK-24508) Spark WebUIs [Security] - Inadequate Cache Directive Headers

t oo created SPARK-24508:
----------------------------

             Summary: Spark WebUIs [Security] - Inadequate Cache Directive Headers
                 Key: SPARK-24508
                 URL: https://issues.apache.org/jira/browse/SPARK-24508
             Project: Spark
          Issue Type: Bug
          Components: Web UI
    Affects Versions: 2.3.0
            Reporter: t oo


Several web portals do not use sufficient cache related headers.

Cache related headers instructs browsers and intermediary proxies to not cache any data received or sent. The following cache related headers were missing or not properly set:
 * Cache-Control: not set to no-cache no-store
 * Pragma header missing
 * Expires header not backdated or -1

The following applications/requests are affected (note that this is a non-exhaustive list, recommendations should be applied to all applications):
 [https://host:8480/api/v1/applications/app-20180522035225-0000/allexecutors]
 [https://host:18480/api/v1/applications?limit=1500&status=completed]
 *
 Business impact / attack scenario*
 By allowing proxies or browsers to cache sensitive information, it is possible for an attacker with access to the machine to retrieve information about Spark infrastructure. 
 *
 Recommendation*
 Set the following cache related headers for all sensitive information:

Cache-Control: no-cache no-store
 Pragma: no-cache
 Expires: -1



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org