You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by Robert Levas <rl...@hortonworks.com> on 2015/09/30 22:51:14 UTC
Review Request 38905: Add security-related HTTP headers to keep
Ambari up to date with best-practices
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/38905/
-----------------------------------------------------------
Review request for Ambari, Myroslav Papirkovskyy, Sid Wagle, and Vitalyi Brodetskyi.
Bugs: AMBARI-13278
https://issues.apache.org/jira/browse/AMBARI-13278
Repository: ambari
Description
-------
Add security-related HTTP headers to keep Ambari up to date with best-practices.
* Strict-Transport-Security
* X-Frame-Options
* X-XSS-Protection
These headers should be configurable via the ambari.properties such that they may be turned on or off - and set to some custom value.
The default value for this headers should be as follows:
* Strict-Transport-Security: max-age=31536000
* X-Frame-Options: DENY
* X-XSS-Protection: 1; mode=block
Strict-Transport-Security should only be turned on if SSL is enabled.
The relevant Ambari properties should be:
* Strict-Transport-Security: http.strict-transport-security
* X-Frame-Options: http.x-frame-options
* X-XSS-Protection: http.x-xss-protection
By setting any of these to be empty, the header is to be turned off (or not set).
For example:
# Sets Strict-Transport-Security to a custom value
```
http.strict-transport-security=max-age=31536000; includeSubDomains
```
# Turns Strict-Transport-Security off}
```
http.strict-transport-security=
```
Diffs
-----
ambari-server/conf/unix/ambari.properties 75e0fe1
ambari-server/conf/windows/ambari.properties a6a5aac
ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java e3686ac
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 3c598db
ambari-server/src/main/java/org/apache/ambari/server/security/SecurityHeaderFilter.java PRE-CREATION
ambari-server/src/test/java/org/apache/ambari/server/security/SecurityHeaderFilterTest.java PRE-CREATION
Diff: https://reviews.apache.org/r/38905/diff/
Testing
-------
Manually tested to see headers in response
# Local test results: PASSED
# Jenkins test results: PENDING
Thanks,
Robert Levas
Re: Review Request 38905: Add security-related HTTP headers to keep
Ambari up to date with best-practices
Posted by Vitalyi Brodetskyi <vb...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/38905/#review101220
-----------------------------------------------------------
Ship it!
Ship It!
- Vitalyi Brodetskyi
On Вер. 30, 2015, 8:51 після полудня, Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/38905/
> -----------------------------------------------------------
>
> (Updated Вер. 30, 2015, 8:51 після полудня)
>
>
> Review request for Ambari, Myroslav Papirkovskyy, Sid Wagle, and Vitalyi Brodetskyi.
>
>
> Bugs: AMBARI-13278
> https://issues.apache.org/jira/browse/AMBARI-13278
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Add security-related HTTP headers to keep Ambari up to date with best-practices.
> * Strict-Transport-Security
> * X-Frame-Options
> * X-XSS-Protection
>
> These headers should be configurable via the ambari.properties such that they may be turned on or off - and set to some custom value.
>
> The default value for this headers should be as follows:
> * Strict-Transport-Security: max-age=31536000
> * X-Frame-Options: DENY
> * X-XSS-Protection: 1; mode=block
>
> Strict-Transport-Security should only be turned on if SSL is enabled.
>
> The relevant Ambari properties should be:
> * Strict-Transport-Security: http.strict-transport-security
> * X-Frame-Options: http.x-frame-options
> * X-XSS-Protection: http.x-xss-protection
>
> By setting any of these to be empty, the header is to be turned off (or not set).
>
> For example:
> # Sets Strict-Transport-Security to a custom value
> ```
> http.strict-transport-security=max-age=31536000; includeSubDomains
> ```
> # Turns Strict-Transport-Security off}
> ```
> http.strict-transport-security=
> ```
>
>
> Diffs
> -----
>
> ambari-server/conf/unix/ambari.properties 75e0fe1
> ambari-server/conf/windows/ambari.properties a6a5aac
> ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java e3686ac
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 3c598db
> ambari-server/src/main/java/org/apache/ambari/server/security/SecurityHeaderFilter.java PRE-CREATION
> ambari-server/src/test/java/org/apache/ambari/server/security/SecurityHeaderFilterTest.java PRE-CREATION
>
> Diff: https://reviews.apache.org/r/38905/diff/
>
>
> Testing
> -------
>
> Manually tested to see headers in response
>
> # Local test results: PASSED
>
> # Jenkins test results: PENDING
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 38905: Add security-related HTTP headers to keep
Ambari up to date with best-practices
Posted by Myroslav Papirkovskyy <mp...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/38905/#review101217
-----------------------------------------------------------
Ship it!
Ship It!
- Myroslav Papirkovskyy
On Вер. 30, 2015, 11:51 після полудня, Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/38905/
> -----------------------------------------------------------
>
> (Updated Вер. 30, 2015, 11:51 після полудня)
>
>
> Review request for Ambari, Myroslav Papirkovskyy, Sid Wagle, and Vitalyi Brodetskyi.
>
>
> Bugs: AMBARI-13278
> https://issues.apache.org/jira/browse/AMBARI-13278
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Add security-related HTTP headers to keep Ambari up to date with best-practices.
> * Strict-Transport-Security
> * X-Frame-Options
> * X-XSS-Protection
>
> These headers should be configurable via the ambari.properties such that they may be turned on or off - and set to some custom value.
>
> The default value for this headers should be as follows:
> * Strict-Transport-Security: max-age=31536000
> * X-Frame-Options: DENY
> * X-XSS-Protection: 1; mode=block
>
> Strict-Transport-Security should only be turned on if SSL is enabled.
>
> The relevant Ambari properties should be:
> * Strict-Transport-Security: http.strict-transport-security
> * X-Frame-Options: http.x-frame-options
> * X-XSS-Protection: http.x-xss-protection
>
> By setting any of these to be empty, the header is to be turned off (or not set).
>
> For example:
> # Sets Strict-Transport-Security to a custom value
> ```
> http.strict-transport-security=max-age=31536000; includeSubDomains
> ```
> # Turns Strict-Transport-Security off}
> ```
> http.strict-transport-security=
> ```
>
>
> Diffs
> -----
>
> ambari-server/conf/unix/ambari.properties 75e0fe1
> ambari-server/conf/windows/ambari.properties a6a5aac
> ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java e3686ac
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 3c598db
> ambari-server/src/main/java/org/apache/ambari/server/security/SecurityHeaderFilter.java PRE-CREATION
> ambari-server/src/test/java/org/apache/ambari/server/security/SecurityHeaderFilterTest.java PRE-CREATION
>
> Diff: https://reviews.apache.org/r/38905/diff/
>
>
> Testing
> -------
>
> Manually tested to see headers in response
>
> # Local test results: PASSED
>
> # Jenkins test results: PENDING
>
>
> Thanks,
>
> Robert Levas
>
>