You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ambari.apache.org by "Robert Levas (JIRA)" <ji...@apache.org> on 2015/10/03 13:49:26 UTC

[jira] [Created] (AMBARI-13304) Add security-related HTTP headers to Views to keep Ambari up to date with best-practices

Robert Levas created AMBARI-13304:
-------------------------------------

             Summary: Add security-related HTTP headers to Views to keep Ambari up to date with best-practices
                 Key: AMBARI-13304
                 URL: https://issues.apache.org/jira/browse/AMBARI-13304
             Project: Ambari
          Issue Type: Bug
          Components: ambari-server
    Affects Versions: 1.7.0
            Reporter: Robert Levas
            Assignee: Robert Levas
             Fix For: 2.2.0, 2.0.3, 2.1.3


Add security-related HTTP headers to Views to keep Ambari up to date with best-practices. 
* Strict-Transport-Security
* X-Frame-Options
* X-XSS-Protection

These headers should be configurable via the ambari.properties such that they may be turned on or off - and set to some custom value.

The default value for this headers should be as follows:
* Strict-Transport-Security: max-age=31536000
* X-Frame-Options: DENY
* X-XSS-Protection: 1; mode=block

Strict-Transport-Security should only be turned on if SSL is enabled.

The relevant Ambari properties should be:
* Strict-Transport-Security: http.strict-transport-security
* X-Frame-Options: http.x-frame-options
* X-XSS-Protection: http.x-xss-protection

By setting any of these to be empty, the header is to be turned off (or not set).

For example:
{code:title=Sets Strict-Transport-Security to a custom value}
http.strict-transport-security=max-age=31536000; includeSubDomains
{code}

{code:title=Turns Strict-Transport-Security off}
http.strict-transport-security=
{code}




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)