You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Toshihiro Suzuki (Jira)" <ji...@apache.org> on 2019/12/08 13:52:00 UTC
[jira] [Commented] (HBASE-23303) Add security headers to REST
server/info page
[ https://issues.apache.org/jira/browse/HBASE-23303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16990857#comment-16990857 ]
Toshihiro Suzuki commented on HBASE-23303:
------------------------------------------
Pushed to master, branch-2, branch-2.2 and branch-2.1.
Thank you for the contribution! [~andor]
> Add security headers to REST server/info page
> ---------------------------------------------
>
> Key: HBASE-23303
> URL: https://issues.apache.org/jira/browse/HBASE-23303
> Project: HBase
> Issue Type: Improvement
> Components: REST
> Affects Versions: 3.0.0, 2.0.6, 2.1.7, 2.2.2
> Reporter: Andor Molnar
> Assignee: Andor Molnar
> Priority: Major
> Fix For: 3.0.0, 2.3.0, 2.2.3, 2.1.9
>
>
> Vulnerability scanners suggest that the following extra headers should be added to both Info/Rest server endpoints which are exposed by {{hbase-rest}} project.
> * X-Frame-Options: SAMEORIGIN
> * X-Xss-Protection: 1; mode=block
> * X-Content-Type-Options: nosniff
> * Strict-Transport-Security: “max-age=63072000;includeSubDomains;preload”
> * Content-Security-Policy: default-src https: data: 'unsafe-inline' 'unsafe-eval'
> Info server already has "X-Frame-Options: DENY" which is more restrictive than "SAMEORIGIN", so it's probably fine. All of three headers are missing from REST responses.
> I'll put together a patch to resolve this.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)