[kudu-CR] [webserver] Restrict UI pages to GET/HEAD methods only

Mon, 24 Nov 2025 06:57:57 -0800 

Hello Alexey Serbin, Ashwani Raina, Kudu Jenkins,

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/23657

to look at the new patch set (#2).

Change subject: [webserver] Restrict UI pages to GET/HEAD methods only
......................................................................

[webserver] Restrict UI pages to GET/HEAD methods only

Currently, the web server UI pages return 200 OK regardless of the
HTTP method used. Display pages like "/", "/tables", "/tablet-servers"
accept POST, PUT, DELETE and other methods even though they're purely
informational read-only pages. This could lead to unintended
interactions and doesn't follow HTTP best practices.

This patch adds HTTP method validation for display pages. Pages
registered with StyleMode::STYLED (human-readable UI pages with CSS
and navigation) now only accept GET and HEAD requests. Other HTTP
methods (POST, PUT, DELETE, etc.) return 405 Method Not Allowed with
an appropriate Allow header.

Functional endpoints like /metrics, and REST API endpoints registered
with StyleMode::UNSTYLED or StyleMode::JSON continue to accept all
HTTP methods as before, since they may legitimately need POST for
operations.

The design uses StyleMode as a signal for method restrictions since
STYLED pages are semantically read-only displays for human viewing,
while functional endpoints are machine-consumable and may need to
accept writes. This approach requires no API changes and automatically
applies the correct restrictions based on existing semantics.

Change-Id: Ie232bd50785bb750ecaa0a7e19403e573ac193eb
---
M src/kudu/server/webserver-test.cc
M src/kudu/server/webserver.cc
2 files changed, 109 insertions(+), 8 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/57/23657/2
--
To view, visit http://gerrit.cloudera.org:8080/23657
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ie232bd50785bb750ecaa0a7e19403e573ac193eb
Gerrit-Change-Number: 23657
Gerrit-PatchSet: 2
Gerrit-Owner: Gabriella Lotz <[email protected]>
Gerrit-Reviewer: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Ashwani Raina <[email protected]>
Gerrit-Reviewer: Kudu Jenkins (120)

Reply via email to