You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zeppelin.apache.org by GitBox <gi...@apache.org> on 2019/12/07 02:00:36 UTC
[GitHub] [zeppelin] VipinRathor opened a new pull request #3544:
[ZEPPELIN-4471] Add HTTP security header X-Content-Type-Options
VipinRathor opened a new pull request #3544: [ZEPPELIN-4471] Add HTTP security header X-Content-Type-Options
URL: https://github.com/apache/zeppelin/pull/3544
### What is this PR for?
This PR adds support for X-Content-Type-Options response header. As per Security best practices, Zeppelin server should have an option to include "X-Content-Type-Options: nosniff" header in HTTP response. This header prevents MIME type sniffing attack on web server.
### What type of PR is it?
[Improvement]
### Todos
* [ ] - Document the new option
### What is the Jira issue?
https://issues.apache.org/jira/browse/ZEPPELIN-4471
### How should this be tested?
* Travis CI should pass
* Manual verification
HTTP response header before patch (missing X-Content-Type-Options header):
```
$ curl -i `hostname -f`:8080
HTTP/1.1 200 OK
Date: Sat, 07 Dec 2019 00:43:34 GMT
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: authorization,Content-Type
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, HEAD, DELETE
X-FRAME-OPTIONS: SAMEORIGIN
X-XSS-Protection: 1
Last-Modified: Sat, 07 Dec 2019 00:35:42 GMT
Content-Type: text/html
Accept-Ranges: bytes
Content-Length: 4660
Server: Jetty(9.4.18.v20190429)
```
HTTP response header after patch (notice the X-Content-Type-Options header):
```
$ curl -i `hostname -f`:8080
HTTP/1.1 200 OK
Date: Sat, 07 Dec 2019 01:30:37 GMT
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: authorization,Content-Type
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, HEAD, DELETE
X-FRAME-OPTIONS: SAMEORIGIN
X-XSS-Protection: 1
X-Content-Type-Options: nosniff
Last-Modified: Sat, 07 Dec 2019 01:28:44 GMT
Content-Type: text/html
Accept-Ranges: bytes
Content-Length: 4660
Server: Jetty(9.4.18.v20190429)
```
### Questions:
* Does the licenses files need update?
No
* Is there breaking changes for older versions?
No
* Does this needs documentation?
Yes
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services