You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@zeppelin.apache.org by al...@apache.org on 2020/04/06 16:54:24 UTC
[zeppelin] branch branch-0.9 updated: [ZEPPELIN-4723] Enable HTTP
security headers by default
This is an automated email from the ASF dual-hosted git repository.
alexott pushed a commit to branch branch-0.9
in repository https://gitbox.apache.org/repos/asf/zeppelin.git
The following commit(s) were added to refs/heads/branch-0.9 by this push:
new c0d632a [ZEPPELIN-4723] Enable HTTP security headers by default
c0d632a is described below
commit c0d632a1e1030dc141b7b49530cc0473f7d7f4f6
Author: Krishna Pandey <kp...@cloudera.com>
AuthorDate: Mon Apr 6 13:18:12 2020 +0530
[ZEPPELIN-4723] Enable HTTP security headers by default
### What is this PR for?
Zeppelin when installed with default configuration options doesn't enable the common web application security headers, e.g. zeppelin.server.xframe.options, zeppelin.server.xxss.protection, zeppelin.server.jetty.name, zeppelin.server.xcontent.type.options. This leaves the Zeppelin installation vulnerable.
### What type of PR is it?
Improvement
### Todos
* Discuss HSTS header config (zeppelin.server.strict.transport) which if enabled requires TLS to be configured for Zeppelin to work
### What is the Jira issue?
* [ZEPPELIN-4723](https://issues.apache.org/jira/browse/ZEPPELIN-4723)
### How should this be tested?
* Below headers can be verified with received HTTP response
Server:
X-Content-Type-Options: nosniff
X-FRAME-OPTIONS: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Here is Travis test run link which passed: https://travis-ci.org/github/krishna-pandey/zeppelin/builds/670946421
### Questions:
* Does the licenses files need update? No
* Is there breaking changes for older versions? No
* Does this needs documentation? No
Author: Krishna Pandey <kp...@cloudera.com>
Closes #3716 from krishna-pandey/ZEPPELIN-4723 and squashes the following commits:
afde17f07 [Krishna Pandey] Added default config values
01d3040b9 [Krishna Pandey] Added documentation for enabled headers with default values
f7578adc1 [Krishna Pandey] removed HSTS header, requires TLS config for Zeppelin to start
6fbd30e12 [Krishna Pandey] Enable HTTP security headers by default
(cherry picked from commit 8952b27ea45d798305ccece2e1226188f2ee4025)
Signed-off-by: Alex Ott <al...@apache.org>
---
conf/zeppelin-site.xml.template | 12 ++----------
docs/setup/security/http_security_headers.md | 16 ++++++++--------
.../org/apache/zeppelin/conf/ZeppelinConfiguration.java | 4 ++--
3 files changed, 12 insertions(+), 20 deletions(-)
diff --git a/conf/zeppelin-site.xml.template b/conf/zeppelin-site.xml.template
index 6d33433..a1368e3 100755
--- a/conf/zeppelin-site.xml.template
+++ b/conf/zeppelin-site.xml.template
@@ -519,13 +519,11 @@
</property>
-->
-<!--
<property>
<name>zeppelin.server.jetty.name</name>
- <value>Jetty(7.6.0.v20120127)</value>
+ <value> </value>
<description>Hardcoding Application Server name to Prevent Fingerprinting</description>
</property>
--->
<!--
<property>
@@ -565,13 +563,11 @@
</property>
-->
-<!--
<property>
<name>zeppelin.server.xframe.options</name>
<value>SAMEORIGIN</value>
<description>The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a frame/iframe/object.</description>
</property>
--->
<!--
<property>
@@ -580,22 +576,18 @@
<description>The HTTP Strict-Transport-Security response header is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. Enable this when Zeppelin is running on HTTPS. Value is in Seconds, the default value is equivalent to 20 years.</description>
</property>
-->
-<!--
<property>
<name>zeppelin.server.xxss.protection</name>
- <value>1</value>
+ <value>1; mode=block</value>
<description>The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. When value is set to 1 and a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).</description>
</property>
--->
-<!--
<property>
<name>zeppelin.server.xcontent.type.options</name>
<value>nosniff</value>
<description>The HTTP X-Content-Type-Options response header helps to prevent MIME type sniffing attacks. It directs the browser to honor the type specified in the Content-Type header, rather than trying to determine the type from the content itself. The default value "nosniff" is really the only meaningful value. This header is supported on all browsers except Safari and Safari on iOS.</description>
</property>
--->
<!--
<property>
diff --git a/docs/setup/security/http_security_headers.md b/docs/setup/security/http_security_headers.md
index 9fcb9f4..b93e0e1 100644
--- a/docs/setup/security/http_security_headers.md
+++ b/docs/setup/security/http_security_headers.md
@@ -53,7 +53,7 @@ Read more about HSTS [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/He
The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari Web browsers that initiates configured action when they detect reflected cross-site scripting (XSS) attacks.
-The following property needs to be updated in the zeppelin-site.xml in order to set X-XSS-PROTECTION header.
+The below property to set X-XSS-Protection header is enabled with default value of "1; mode=block" in the zeppelin-site.xml
```xml
<property>
@@ -64,7 +64,7 @@ The following property needs to be updated in the zeppelin-site.xml in order to
```
-You can choose appropriate value from below.
+You can choose appropriate value from below to update the configuration if required.
* 0 (Disables XSS filtering)
* 1 (Enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page.)
@@ -76,7 +76,7 @@ Read more about HTTP X-XSS-Protection response header [here](https://developer.m
The X-Frame-Options HTTP response header can indicate browser to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites in a `<frame>`,`<iframe>` or `<object>`.
-The following property needs to be updated in the zeppelin-site.xml in order to set X-Frame-Options header.
+The below property to set X-Frame-Options header is enabled with default value of "SAMEORIGIN" in the zeppelin-site.xml
```xml
<property>
@@ -87,7 +87,7 @@ The following property needs to be updated in the zeppelin-site.xml in order to
```
-You can choose appropriate value from below.
+You can choose appropriate value from below to update the configuration if required.
* `DENY`
* `SAMEORIGIN`
@@ -97,7 +97,7 @@ You can choose appropriate value from below.
The HTTP X-Content-Type-Options response header helps to prevent MIME type sniffing attacks. It directs the browser to honor the type specified in the Content-Type header, rather than trying to determine the type from the content itself. The default value `nosniff` is really the only meaningful value. This header is supported on all browsers except Safari and Safari on iOS.
-Zeppelin server will add this header to HTTP response by default. The following property needs to be updated in the zeppelin-site.xml in order to change X-Content-Type-Options header value.
+The below property to set X-Content-Type-Options header is enabled with default value of "nosniff" in the zeppelin-site.xml
```xml
<property>
@@ -111,14 +111,14 @@ Zeppelin server will add this header to HTTP response by default. The following
Security conscious organisations does not want to reveal the Application Server name and version to prevent finding this information easily by Attacker while fingerprinting the Application. The exact version number can tell an Attacker if the current Application Server is patched for or vulnerable to certain publicly known CVE associated to it.
-The following property needs to be updated in the zeppelin-site.xml in order to set Server header.
+The below property to mask Jetty server version is enabled by default and configured with value of " " (one whitespace char) in the zeppelin-site.xml
```xml
<property>
<name>zeppelin.server.jetty.name</name>
- <value>Jetty(7.6.0.v20120127)</value>
+ <value> </value>
<description>Hardcoding Application Server name to Prevent Fingerprinting</description>
</property>
```
-The value can be any "String".
\ No newline at end of file
+The value can be any "String". Removing this property from configuration will cause Zeppelin to send correct Jetty server version.
\ No newline at end of file
diff --git a/zeppelin-interpreter/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java b/zeppelin-interpreter/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
index 75391de..1be243f 100644
--- a/zeppelin-interpreter/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
+++ b/zeppelin-interpreter/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
@@ -954,14 +954,14 @@ public class ZeppelinConfiguration extends XMLConfiguration {
ZEPPELIN_WEBSOCKET_MAX_TEXT_MESSAGE_SIZE("zeppelin.websocket.max.text.message.size", "10240000"),
ZEPPELIN_SERVER_DEFAULT_DIR_ALLOWED("zeppelin.server.default.dir.allowed", false),
ZEPPELIN_SERVER_XFRAME_OPTIONS("zeppelin.server.xframe.options", "SAMEORIGIN"),
- ZEPPELIN_SERVER_JETTY_NAME("zeppelin.server.jetty.name", null),
+ ZEPPELIN_SERVER_JETTY_NAME("zeppelin.server.jetty.name", " "),
ZEPPELIN_SERVER_JETTY_THREAD_POOL_MAX("zeppelin.server.jetty.thread.pool.max", 400),
ZEPPELIN_SERVER_JETTY_THREAD_POOL_MIN("zeppelin.server.jetty.thread.pool.min", 8),
ZEPPELIN_SERVER_JETTY_THREAD_POOL_TIMEOUT("zeppelin.server.jetty.thread.pool.timeout", 30),
ZEPPELIN_SERVER_JETTY_REQUEST_HEADER_SIZE("zeppelin.server.jetty.request.header.size", 8192),
ZEPPELIN_SERVER_AUTHORIZATION_HEADER_CLEAR("zeppelin.server.authorization.header.clear", true),
ZEPPELIN_SERVER_STRICT_TRANSPORT("zeppelin.server.strict.transport", "max-age=631138519"),
- ZEPPELIN_SERVER_X_XSS_PROTECTION("zeppelin.server.xxss.protection", "1"),
+ ZEPPELIN_SERVER_X_XSS_PROTECTION("zeppelin.server.xxss.protection", "1; mode=block"),
ZEPPELIN_SERVER_X_CONTENT_TYPE_OPTIONS("zeppelin.server.xcontent.type.options", "nosniff"),
ZEPPELIN_SERVER_KERBEROS_KEYTAB("zeppelin.server.kerberos.keytab", ""),