You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-dev@hadoop.apache.org by "Kanwaljeet Sachdev (JIRA)" <ji...@apache.org> on 2018/04/23 16:29:00 UTC

[jira] [Created] (YARN-8198) Add Security-Related HTTP Response Header in Yarn WEBUIs.

Kanwaljeet Sachdev created YARN-8198:
----------------------------------------

             Summary: Add Security-Related HTTP Response Header in Yarn WEBUIs.
                 Key: YARN-8198
                 URL: https://issues.apache.org/jira/browse/YARN-8198
             Project: Hadoop YARN
          Issue Type: Improvement
          Components: yarn
            Reporter: Kanwaljeet Sachdev


As of today, YARN web-ui lacks certain security related http response headers. We are planning to add few default ones and also add support for headers to be able to get added via xml config. Planning to make the below two as default.
 * X-XSS-Protection: 1; mode=block
 * X-Content-Type-Options: nosniff

 

Support for headers via config properties in core-site.xml will be along the below lines
{code:java}
<property>
     <name>hadoop.http.header.Strict_Transport_Security</name>
     <value>valHSTSFromXML</value>
 </property>{code}
 

A regex matcher will lift these properties and add into the response header when Jetty prepares the response.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-dev-help@hadoop.apache.org