You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@hive.apache.org by da...@apache.org on 2019/07/17 18:41:31 UTC

[hive] branch master updated: HIVE-21986: HiveServer Web UI: Setting the Strict-Transport-Security in default response header (Rajkumar Singh, reviewed by Gopal V)

This is an automated email from the ASF dual-hosted git repository.

daijy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git


The following commit(s) were added to refs/heads/master by this push:
     new 96dc429  HIVE-21986: HiveServer Web UI: Setting the Strict-Transport-Security in default response header (Rajkumar Singh, reviewed by Gopal V)
96dc429 is described below

commit 96dc42999619a4c313e769e5335f6fbefb3d9167
Author: Daniel Dai <da...@cloudera.com>
AuthorDate: Wed Jul 17 11:41:20 2019 -0700

    HIVE-21986: HiveServer Web UI: Setting the Strict-Transport-Security in default response header (Rajkumar Singh, reviewed by Gopal V)
---
 common/src/java/org/apache/hive/http/HttpServer.java | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/common/src/java/org/apache/hive/http/HttpServer.java b/common/src/java/org/apache/hive/http/HttpServer.java
index 35ab7f8..b3ce8da 100644
--- a/common/src/java/org/apache/hive/http/HttpServer.java
+++ b/common/src/java/org/apache/hive/http/HttpServer.java
@@ -113,12 +113,15 @@ public class HttpServer {
   public static final String ADMINS_ACL = "admins.acl";
   private XFrameOption xFrameOption;
   private boolean xFrameOptionIsEnabled;
+  private boolean isSSLEnabled;
   public static final String HTTP_HEADER_PREFIX = "hadoop.http.header.";
   private static final String X_FRAME_OPTIONS = "X-FRAME-OPTIONS";
   static final String X_XSS_PROTECTION  =
           "X-XSS-Protection:1; mode=block";
   static final String X_CONTENT_TYPE_OPTIONS =
           "X-Content-Type-Options:nosniff";
+  static final String STRICT_TRANSPORT_SECURITY =
+          "Strict-Transport-Security:max-age=31536000; includeSubDomains";
   private static final String HTTP_HEADER_REGEX =
           "hadoop\\.http\\.header\\.([a-zA-Z\\-_]+)";
   private static final Pattern PATTERN_HTTP_HEADER_REGEX =
@@ -137,6 +140,7 @@ public class HttpServer {
   private HttpServer(final Builder b) throws IOException {
     this.name = b.name;
     this.xFrameOptionIsEnabled = b.xFrameEnabled;
+    this.isSSLEnabled = b.useSSL;
     this.xFrameOption = b.xFrameOption;
     createWebServer(b);
   }
@@ -675,6 +679,10 @@ public class HttpServer {
     splitVal = X_XSS_PROTECTION.split(":");
     headers.put(HTTP_HEADER_PREFIX + splitVal[0],
             splitVal[1]);
+    if(this.isSSLEnabled){
+      splitVal = STRICT_TRANSPORT_SECURITY.split(":");
+      headers.put(HTTP_HEADER_PREFIX + splitVal[0],splitVal[1]);
+    }
     return headers;
   }