You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hbase.apache.org by "Andor Molnar (Jira)" <ji...@apache.org> on 2019/11/15 14:47:00 UTC

[jira] [Created] (HBASE-23303) Add security headers to REST server/info page

Andor Molnar created HBASE-23303:
------------------------------------

             Summary: Add security headers to REST server/info page
                 Key: HBASE-23303
                 URL: https://issues.apache.org/jira/browse/HBASE-23303
             Project: HBase
          Issue Type: Improvement
          Components: REST
    Affects Versions: 2.2.2, 2.1.7, 2.0.6, 3.0.0
            Reporter: Andor Molnar
            Assignee: Andor Molnar


Vulnerability scanners suggest that the following extra headers should be added to both Info/Rest server endpoints which are exposed by {{hbase-rest}} project.
 * X-Content-Type-Options: nosniff
 * X-XSS-Protection: 1; mode=block
 * X-Frame-Options: SAMEORIGIN

Info server already has "X-Frame-Options: DENY" which is more restrictive than "SAMEORIGIN", so it's probably fine. All of three headers are missing from REST responses.

I'll put together a patch to resolve this.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)