[jira] [Created] (ZEPPELIN-2775) Add configurable Strict-Transport-Security and X-XSS-Protection Headers

[Krishna Pandey (JIRA)]

Krishna Pandey created ZEPPELIN-2775:
----------------------------------------

             Summary: Add configurable Strict-Transport-Security and 
X-XSS-Protection Headers
                 Key: ZEPPELIN-2775
                 URL: https://issues.apache.org/jira/browse/ZEPPELIN-2775
             Project: Zeppelin
          Issue Type: Bug
          Components: zeppelin-server
    Affects Versions: 0.7.2
            Reporter: Krishna Pandey


The *HTTP Strict-Transport-Security* response header (often abbreviated as 
HSTS) is a security feature that lets a web site tell browsers that it should 
only be communicated with using HTTPS, instead of using HTTP.

*Note:* The Strict-Transport-Security header is ignored by the browser when 
your site is accessed using HTTP; this is because an attacker may intercept 
HTTP connections and inject the header or remove it. When your site is accessed 
over HTTPS with no certificate errors, the browser knows your site is HTTPS 
capable and will honor the Strict-Transport-Security header.

*An example scenario*
You log into a free WiFi access point at an airport and start surfing the web, 
visiting your online banking service to check your balance and pay a couple of 
bills. Unfortunately, the access point you're using is actually a hacker's 
laptop, and they're intercepting your original HTTP request and redirecting you 
to a clone of your bank's site instead of the real thing. Now your private data 
is exposed to the hacker.
Strict Transport Security resolves this problem; as long as you've accessed 
your bank's web site once using HTTPS, and the bank's web site uses Strict 
Transport Security, your browser will know to automatically use only HTTPS, 
which prevents hackers from performing this sort of man-in-the-middle attack.
*Syntax*
Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload

Read more at 
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

The HTTP *X-XSS-Protection* response header is a feature of Internet Explorer, 
Chrome and Safari that stops pages from loading when they detect reflected 
cross-site scripting (XSS) attacks.

*Syntax*
X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=<reporting-uri>

Read more at 
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)