Krishna Pandey created ZEPPELIN-4723:
----------------------------------------
Summary: Configure Security Features in Zeppelin to be enabled by
default
Key: ZEPPELIN-4723
URL: https://issues.apache.org/jira/browse/ZEPPELIN-4723
Project: Zeppelin
Issue Type: Improvement
Components: zeppelin-web
Affects Versions: 0.8.2
Reporter: Krishna Pandey
Assignee: Krishna Pandey
Fix For: 0.9.0
Zeppelin being a notebook has gained popularity among Data Scientists who are
not necessarily also information security savvy. They usually deploy Zeppelin
with default configuration options which doesn't enable the common web
application security headers by default, e.g. zeppelin.server.xframe.options,
zeppelin.server.strict.transport, zeppelin.server.xxss.protection,
zeppelin.server.xcontent.type.options, zeppelin.server.xcontent.type.options
documented
[here|[https://zeppelin.apache.org/docs/0.8.2/setup/security/http_security_headers.html]].
This leaves the Zeppelin installation vulnerable.
In recent times, Zeppelin installations are taking flak over these missing
security headers from Internal Security teams and External Auditors who are not
aware of these features being already available. Also, as software community is
moving towards privacy-by-design and compliance-as-code, expectation of secure
by design doesn't look out of the place. This Jira's intention is to enable all
above HTTP response headers by default.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
