[GitHub] [zeppelin] VipinRathor opened a new pull request #3544: [ZEPPELIN-4471] Add HTTP security header X-Content-Type-Options

Fri, 06 Dec 2019 18:00:50 -0800 

VipinRathor opened a new pull request #3544: [ZEPPELIN-4471] Add HTTP security 
header X-Content-Type-Options
URL: https://github.com/apache/zeppelin/pull/3544
 
 
   ### What is this PR for?
   This PR adds support for X-Content-Type-Options response header. As per 
Security best practices, Zeppelin server should have an option to include 
"X-Content-Type-Options: nosniff" header in HTTP response. This header prevents 
MIME type sniffing attack on web server.
   
   ### What type of PR is it?
   [Improvement]
   
   ### Todos
   * [ ] - Document the new option
   
   ### What is the Jira issue?
   https://issues.apache.org/jira/browse/ZEPPELIN-4471
   
   ### How should this be tested?
   * Travis CI should pass
   * Manual verification
   HTTP response header before patch (missing X-Content-Type-Options header):
   ```
   $ curl -i `hostname -f`:8080
   HTTP/1.1 200 OK
   Date: Sat, 07 Dec 2019 00:43:34 GMT
   Access-Control-Allow-Credentials: true
   Access-Control-Allow-Headers: authorization,Content-Type
   Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, HEAD, DELETE
   X-FRAME-OPTIONS: SAMEORIGIN
   X-XSS-Protection: 1
   Last-Modified: Sat, 07 Dec 2019 00:35:42 GMT
   Content-Type: text/html
   Accept-Ranges: bytes
   Content-Length: 4660
   Server: Jetty(9.4.18.v20190429)
   ```
   
   HTTP response header after patch (notice the X-Content-Type-Options header):
   ```
   $ curl -i `hostname -f`:8080
   HTTP/1.1 200 OK
   Date: Sat, 07 Dec 2019 01:30:37 GMT
   Access-Control-Allow-Credentials: true
   Access-Control-Allow-Headers: authorization,Content-Type
   Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, HEAD, DELETE
   X-FRAME-OPTIONS: SAMEORIGIN
   X-XSS-Protection: 1
   X-Content-Type-Options: nosniff
   Last-Modified: Sat, 07 Dec 2019 01:28:44 GMT
   Content-Type: text/html
   Accept-Ranges: bytes
   Content-Length: 4660
   Server: Jetty(9.4.18.v20190429)
   ```
   
   ### Questions:
   * Does the licenses files need update?
   No
   * Is there breaking changes for older versions?
   No
   * Does this needs documentation?
   Yes
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

Reply via email to