Alexey Serbin has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/18253 )
Change subject: [webserver] add security-related HTTP headers ...................................................................... [webserver] add security-related HTTP headers To please various security scanners, this patch adds the following HTTP headers into Kudu embedded webserver's responses: * Cache-Control (set to 'no-store' by default, see [1]) * X-Content-Type-Options (set to 'nosniff' by default, see [2]) * Strict-Transport-Security (see [3] and below for details) The embedded webserver adds the HTTP strict transport security (HSTS) header 'Strict-Transport-Security' for responses sent from HTTPS (i.e. TLS-protected) endpoints if --webserver_hsts_max_age_seconds is set to a non-negative value. The header contains the 'max-age' attribute as specified by the flag, and adds the optional 'includeSubDomains' attribute as per set setting of the --webserver_hsts_include_sub_domains flag. The HSTS header isn't added to the responses sent from plain HTTP endpoints (BTW, it seems most browsers simply ignore the HSTS header anyway if it's received from an HTTP, not an HTTPS endpoint). Essentially, the HSTS header for Kudu is a no-op since the embedded webserver doesn't serve both HTTP and HTTPS endpoints at the same time: one can enable one or the other, but never both. However, many security scanners almost cry "Security breach" if they don't see the header :) Adding the HSTS header isn't enabled by default since it could make other plain HTTP endpoints at the same node/hostname inaccessible. To enable adding the HSTS header for HTTPS responses, set the --webserver_hsts_max_age_seconds flag to a non-negative integer. Enable it with care and only if you know what you are doing! One extra test added and a few existing ones updated correspondingly to cover the newly introduced functionality. [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control [2] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options [3] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security Change-Id: Id844b9588196b3d608765d0f16f5caec1c414d41 Reviewed-on: http://gerrit.cloudera.org:8080/18253 Tested-by: Alexey Serbin <[email protected]> Reviewed-by: Attila Bukor <[email protected]> --- M src/kudu/server/webserver-test.cc M src/kudu/server/webserver.cc 2 files changed, 142 insertions(+), 8 deletions(-) Approvals: Alexey Serbin: Verified Attila Bukor: Looks good to me, approved -- To view, visit http://gerrit.cloudera.org:8080/18253 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: Id844b9588196b3d608765d0f16f5caec1c414d41 Gerrit-Change-Number: 18253 Gerrit-PatchSet: 10 Gerrit-Owner: Alexey Serbin <[email protected]> Gerrit-Reviewer: Abhishek Chennaka <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Andrew Wong <[email protected]> Gerrit-Reviewer: Attila Bukor <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120)
