You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ambari.apache.org by "Robert Levas (JIRA)" <ji...@apache.org> on 2015/10/13 02:34:05 UTC

[jira] [Updated] (AMBARI-13351) Security-related HTTP headers should be set separately for Ambari Views then for Ambari server UI

     [ https://issues.apache.org/jira/browse/AMBARI-13351?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Robert Levas updated AMBARI-13351:
----------------------------------
    Attachment: AMBARI-13351_trunk_01.patch
                AMBARI-13351_branch-2.1_01.patch

> Security-related HTTP headers should be set separately for Ambari Views then for Ambari server UI
> -------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-13351
>                 URL: https://issues.apache.org/jira/browse/AMBARI-13351
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.1.3
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>              Labels: security
>             Fix For: 2.1.3
>
>         Attachments: AMBARI-13351_branch-2.1_01.patch, AMBARI-13351_trunk_01.patch
>
>
> The security-related HTTP headers should be set separately for the Ambari Views then for the Ambari server UI. This is because they have different requirements.  For example the Ambari server UI should not be allowed to execute in an iframe (by default) where Ambari View must be able to execute in an iframe invoked from the same origin.
> The relevant headers are:
> * Strict-Transport-Security
> * X-Frame-Options
> * X-XSS-Protection
> These headers should be configurable via the ambari.properties such that they may be turned on or off - and set to some custom value.
> The default value for this headers should be as follows:
> * Strict-Transport-Security: max-age=31536000
> * X-Frame-Options: SAMEORIGIN
> * X-XSS-Protection: 1; mode=block
> Strict-Transport-Security should only be turned on if SSL is enabled.
> The relevant Ambari properties should be:
> * Strict-Transport-Security: views.http.strict-transport-security
> * X-Frame-Options: views.http.x-frame-options
> * X-XSS-Protection: views.http.x-xss-protection
> By setting any of these to be empty, the header is to be turned off (or not set).
> For example:
> {code:title=Sets Strict-Transport-Security to a custom value}
> views.http.strict-transport-security=max-age=31536000; includeSubDomains
> {code}
> {code:title=Turns Strict-Transport-Security off}
> views.http.strict-transport-security=
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)