Andor Molnar created HBASE-23303:
------------------------------------
Summary: Add security headers to REST server/info page
Key: HBASE-23303
URL: https://issues.apache.org/jira/browse/HBASE-23303
Project: HBase
Issue Type: Improvement
Components: REST
Affects Versions: 2.2.2, 2.1.7, 2.0.6, 3.0.0
Reporter: Andor Molnar
Assignee: Andor Molnar
Vulnerability scanners suggest that the following extra headers should be added
to both Info/Rest server endpoints which are exposed by {{hbase-rest}} project.
* X-Content-Type-Options: nosniff
* X-XSS-Protection: 1; mode=block
* X-Frame-Options: SAMEORIGIN
Info server already has "X-Frame-Options: DENY" which is more restrictive than
"SAMEORIGIN", so it's probably fine. All of three headers are missing from REST
responses.
I'll put together a patch to resolve this.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
