This is an automated email from the ASF dual-hosted git repository.
pradeep pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 816a560 RANGER-2407: [Best Practices] Update default header values
sent from Ranger
816a560 is described below
commit 816a560a91e419662a3f0889938af48694670079
Author: Pradeep <[email protected]>
AuthorDate: Tue Apr 23 13:42:00 2019 +0530
RANGER-2407: [Best Practices] Update default header values sent from Ranger
---
.../src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java | 2 ++
.../security/web/filter/RangerSecurityContextFormationFilter.java | 2 +-
.../src/main/resources/conf.dist/security-applicationContext.xml | 1 +
3 files changed, 4 insertions(+), 1 deletion(-)
diff --git
a/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
b/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
index 3963df1..5ef354b 100644
---
a/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
+++
b/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
@@ -389,6 +389,8 @@ public class EmbeddedServer {
server.getConnector().setMaxSavePostSize(getIntConfig("ranger.service.http.connector.attrib.maxSavePostSize",
4096));
server.getConnector().setParseBodyMethods(getConfig("ranger.service.http.connector.attrib.methods",
"POST"));
server.getConnector().setURIEncoding(getConfig("ranger.service.http.connector.attrib.URIEncoding",
"UTF-8"));
+ server.getConnector().setXpoweredBy(false);
+ server.getConnector().setAttribute("server", "Apache Ranger");
Iterator<Object> iterator =
serverConfigProperties.keySet().iterator();
String key = null;
String property = null;
diff --git
a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
index dc1e106..d75b903 100644
---
a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
+++
b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
@@ -139,9 +139,9 @@ public class RangerSecurityContextFormationFilter extends
GenericFilterBean {
}
HttpServletResponse res = (HttpServletResponse)response;
res.setHeader("X-Frame-Options", "DENY" );
- res.setHeader("X-Content-Type-Options", "nosniff");
res.setHeader("X-XSS-Protection", "1; mode=block");
res.setHeader("Strict-Transport-Security",
"max-age=31536000; includeSubDomains");
+ res.setHeader("Content-Security-Policy", "default-src
'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';
img-src 'self'; style-src 'self' 'unsafe-inline';font-src 'self'");
chain.doFilter(request, res);
} finally {
diff --git
a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
index 39f236d..52de80b 100644
---
a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
+++
b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
@@ -53,6 +53,7 @@
http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd";>
<security:content-type-options/>
<security:xss-protection/>
<security:hsts/>
+ <security:content-security-policy
policy-directives="default-src 'none'; script-src 'self' 'unsafe-inline'
'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self'
'unsafe-inline';font-src 'self'"/>
</security:headers>
<security:session-management
session-fixation-protection="newSession" />
<intercept-url pattern="/**" access="isAuthenticated()"/>
