ihuzenko opened a new pull request #2025: DRILL-7626: Add ability to set HTTP response headers URL: https://github.com/apache/drill/pull/2025 # [DRILL-XXXX](https://issues.apache.org/jira/browse/DRILL-7626): Add ability to set HTTP response headers ## Description 1. Created ResponseHeadersSettingFilter for adding configured values to each response. 2. Now for when drill.exec.http.ssl_enabled is set to true, users can add following headers to improve security: "X-XSS-Protection" : "1; mode=block", "X-Content-Type-Options" : "nosniff", "Strict-Transport-Security" : "max-age=31536000;includeSubDomains", "Content-Security-Policy" : "Content-Security-Policy": "default-src https:; script-src 'unsafe-inline' https:; style-src 'unsafe-inline' https:; font-src data: https:; img-src data: https:" ## Documentation Adding of new response headers now available in drill-override.conf under key drill.exec.http.jetty.server.response.headers . For example: ``` drill.exec: { cluster-id: "drillbits1", zk.connect: "localhost:2181", http: { ssl_enabled: true, jetty.server.response.headers: { "X-XSS-Protection": "1; mode=block", "X-Content-Type-Options": "nosniff", "Strict-Transport-Security": "max-age=31536000;includeSubDomains", "Content-Security-Policy": "default-src https:; script-src 'unsafe-inline' https:; font-src data: https:; img-src data: https:" } } } ``` ## Testing Tested manually with Web UI.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
