You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@zeppelin.apache.org by GitBox <gi...@apache.org> on 2019/12/07 02:00:36 UTC

[GitHub] [zeppelin] VipinRathor opened a new pull request #3544: [ZEPPELIN-4471] Add HTTP security header X-Content-Type-Options

VipinRathor opened a new pull request #3544: [ZEPPELIN-4471] Add HTTP security header X-Content-Type-Options
URL: https://github.com/apache/zeppelin/pull/3544
 
 
   ### What is this PR for?
   This PR adds support for X-Content-Type-Options response header. As per Security best practices, Zeppelin server should have an option to include "X-Content-Type-Options: nosniff" header in HTTP response. This header prevents MIME type sniffing attack on web server.
   
   ### What type of PR is it?
   [Improvement]
   
   ### Todos
   * [ ] - Document the new option
   
   ### What is the Jira issue?
   https://issues.apache.org/jira/browse/ZEPPELIN-4471
   
   ### How should this be tested?
   * Travis CI should pass
   * Manual verification
   HTTP response header before patch (missing X-Content-Type-Options header):
   ```
   $ curl -i `hostname -f`:8080
   HTTP/1.1 200 OK
   Date: Sat, 07 Dec 2019 00:43:34 GMT
   Access-Control-Allow-Credentials: true
   Access-Control-Allow-Headers: authorization,Content-Type
   Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, HEAD, DELETE
   X-FRAME-OPTIONS: SAMEORIGIN
   X-XSS-Protection: 1
   Last-Modified: Sat, 07 Dec 2019 00:35:42 GMT
   Content-Type: text/html
   Accept-Ranges: bytes
   Content-Length: 4660
   Server: Jetty(9.4.18.v20190429)
   ```
   
   HTTP response header after patch (notice the X-Content-Type-Options header):
   ```
   $ curl -i `hostname -f`:8080
   HTTP/1.1 200 OK
   Date: Sat, 07 Dec 2019 01:30:37 GMT
   Access-Control-Allow-Credentials: true
   Access-Control-Allow-Headers: authorization,Content-Type
   Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, HEAD, DELETE
   X-FRAME-OPTIONS: SAMEORIGIN
   X-XSS-Protection: 1
   X-Content-Type-Options: nosniff
   Last-Modified: Sat, 07 Dec 2019 01:28:44 GMT
   Content-Type: text/html
   Accept-Ranges: bytes
   Content-Length: 4660
   Server: Jetty(9.4.18.v20190429)
   ```
   
   ### Questions:
   * Does the licenses files need update?
   No
   * Is there breaking changes for older versions?
   No
   * Does this needs documentation?
   Yes
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services