Github user srowen commented on a diff in the pull request:
https://github.com/apache/spark/pull/19419#discussion_r144483342
--- Diff: docs/configuration.md ---
@@ -2013,7 +2013,62 @@ Apart from these, the following properties are also
available, and may be useful
</tr>
</table>
+### HTTP Security Headers
+Apache Spark can be configured to include HTTP Headers which aids in
preventing Cross
+Site Scripting (XSS), Cross-Frame Scripting (XFS), MIME-Sniffing and also
enforces HTTP
+Strict Transport Security.
+
+<table class="table">
+ <tr><th>Property Name</th><th>Default</th><th>Meaning</th></tr>
+ <tr>
+ <td><code>spark.ui.xXssProtection</code></td>
+ <td>None</td>
+ <td>
+ Value for HTTP X-XSS-Protection response header. You can
choose appropriate value
+ from below:
+ <ul>
+ <li> 0 (Disables XSS filtering)
+ <li> 1 (Enables XSS filtering. If a cross-site scripting
attack is detected,
+ the browser will sanitize the page.)
+ <li> 1; mode=block (Enables XSS filtering. The browser
will prevent rendering
+ of the page if an attack is detected.)
+ </ul>
+ </td>
+ </tr>
+ <tr>
+ <td><code>spark.ui.allowFramingFrom</code></td>
+ <td>SAMEORIGIN</td>
+ <td>
+ Value for X-Frame-Options HTTP response header
+ <br />You can provide the "website uri" which can only be
displayed in a frame on
+ the specified origin.
+ <br />
--- End diff --
Remove this
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org
For additional commands, e-mail: reviews-h...@spark.apache.org
