You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "t oo (JIRA)" <ji...@apache.org> on 2018/06/10 23:13:00 UTC
[jira] [Created] (SPARK-24508) Spark WebUIs [Security] - Inadequate
Cache Directive Headers
t oo created SPARK-24508:
----------------------------
Summary: Spark WebUIs [Security] - Inadequate Cache Directive Headers
Key: SPARK-24508
URL: https://issues.apache.org/jira/browse/SPARK-24508
Project: Spark
Issue Type: Bug
Components: Web UI
Affects Versions: 2.3.0
Reporter: t oo
Several web portals do not use sufficient cache related headers.
Cache related headers instructs browsers and intermediary proxies to not cache any data received or sent. The following cache related headers were missing or not properly set:
* Cache-Control: not set to no-cache no-store
* Pragma header missing
* Expires header not backdated or -1
The following applications/requests are affected (note that this is a non-exhaustive list, recommendations should be applied to all applications):
[https://host:8480/api/v1/applications/app-20180522035225-0000/allexecutors]
[https://host:18480/api/v1/applications?limit=1500&status=completed]
*
Business impact / attack scenario*
By allowing proxies or browsers to cache sensitive information, it is possible for an attacker with access to the machine to retrieve information about Spark infrastructure.
*
Recommendation*
Set the following cache related headers for all sensitive information:
Cache-Control: no-cache no-store
Pragma: no-cache
Expires: -1
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org