Don Laidlaw created MESOS-5219:
----------------------------------
Summary: Add security headers to HTTP response
Key: MESOS-5219
URL: https://issues.apache.org/jira/browse/MESOS-5219
Project: Mesos
Issue Type: Improvement
Components: HTTP API
Reporter: Don Laidlaw
Cross site scripting and click jacking are major concerns. Many issues can be
resolved by setting some headers in the HTTP responses for the user interface
and rest responses for both the master and slave processes.
X-Frame-Options: Can be set to deny, sameorigin, or allow-from <uri>
X-XSS-Protection: 1; mode=block
These would go a long way to making sites using mesos more secure. Note that
the user exploiting attacks does not need to have access to the mesos hosts,
they are attacked through a user's web browser. So if the user can connect to
both mesos and the internet, it is an issue.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
