[GitHub] spark issue #19419: [SPARK-22188] [CORE] Adding security headers for prevent...
Github user krishna-pandey commented on the issue: https://github.com/apache/spark/pull/19419 @srowen @rxin Made changes to enable the X-Content-Type-Options and X-XSS-Protection values by default. Please review. --- - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] spark issue #19419: [SPARK-22188] [CORE] Adding security headers for prevent...
Github user krishna-pandey commented on the issue: https://github.com/apache/spark/pull/19419 @rxin , @srowen I think we can enable X-XSS-Protection and X-Content-Type-Options response header by default. STS Header can be left configurable or enabled by default when Spark UI is running on HTTPS. **Word of caution**: When X-Content-Type-Options response HTTP header is set to "nosniff", it will block a request if the requested type is "style" and the MIME type is not "text/css", or when requested type is "script" and the MIME type is not a JavaScript MIME type. --- - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] spark pull request #19419: [SPARK-22188] [CORE] Adding security headers for ...
Github user krishna-pandey commented on a diff in the pull request: https://github.com/apache/spark/pull/19419#discussion_r144880059 --- Diff: docs/security.md --- @@ -186,7 +186,54 @@ configure those ports. +### HTTP Security Headers + +Apache Spark can be configured to include HTTP Headers which aids in preventing Cross +Site Scripting (XSS), Cross-Frame Scripting (XFS), MIME-Sniffing and also enforces HTTP +Strict Transport Security. + + +Property NameDefaultMeaning + + spark.ui.xXssProtection + None + +Value for HTTP X-XSS-Protection response header. You can choose appropriate value +from below: + + 0 (Disables XSS filtering) --- End diff -- @srowen Thanks for the excellent tip. It looks more readable now. --- - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] spark pull request #19419: [SPARK-22188] [CORE] Adding security headers for ...
Github user krishna-pandey commented on a diff in the pull request: https://github.com/apache/spark/pull/19419#discussion_r144787904 --- Diff: docs/security.md --- @@ -186,7 +186,54 @@ configure those ports. +### HTTP Security Headers + +Apache Spark can be configured to include HTTP Headers which aids in preventing Cross +Site Scripting (XSS), Cross-Frame Scripting (XFS), MIME-Sniffing and also enforces HTTP +Strict Transport Security. + + +Property NameDefaultMeaning --- End diff -- @jerryshao Fixed the indentation issue as per other Spark docs. Thanks for pointing that out. --- - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] spark pull request #19419: [SPARK-22188] [CORE] Adding security headers for ...
Github user krishna-pandey commented on a diff in the pull request: https://github.com/apache/spark/pull/19419#discussion_r144768513 --- Diff: docs/configuration.md --- @@ -2013,7 +2013,6 @@ Apart from these, the following properties are also available, and may be useful - --- End diff -- Restored the change. --- - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] spark pull request #19419: [SPARK-22188] [CORE] Adding security headers for ...
Github user krishna-pandey commented on a diff in the pull request: https://github.com/apache/spark/pull/19419#discussion_r144768206 --- Diff: docs/security.md --- @@ -186,7 +186,52 @@ configure those ports. +### HTTP Security Headers + +Apache Spark can be configured to include HTTP Headers which aids in preventing Cross +Site Scripting (XSS), Cross-Frame Scripting (XFS), MIME-Sniffing and also enforces HTTP +Strict Transport Security. + + +Property NameDefaultMeaning + +spark.ui.xXssProtection +None + +Value for HTTP X-XSS-Protection response header. You can choose appropriate value +from below: + --- End diff -- @srowen Made them bulleted list and closed the tag as well. --- - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] spark issue #19419: [SPARK-22188] [CORE] Adding security headers for prevent...
Github user krishna-pandey commented on the issue: https://github.com/apache/spark/pull/19419 @jerryshao removed Whitespace at end of line 440 in package.scala. ok to test. --- - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] spark issue #19419: [SPARK-22188] [CORE] Adding security headers for prevent...
Github user krishna-pandey commented on the issue: https://github.com/apache/spark/pull/19419 @srowen @tgravescs @dongjoon-hyun @jerryshao Please review the PR. I have incorporated all changes as suggested. --- - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] spark pull request #19419: [SPARK-22188] [CORE] Adding security headers for ...
Github user krishna-pandey commented on a diff in the pull request: https://github.com/apache/spark/pull/19419#discussion_r144565082 --- Diff: core/src/main/scala/org/apache/spark/internal/config/package.scala --- @@ -420,6 +420,25 @@ package object config { .toSequence .createWithDefault(Nil) + + private[spark] val UI_X_XSS_PROTECTION = +ConfigBuilder("spark.ui.xXssProtection") + .doc("Value for HTTP X-XSS-Protection response header") + .stringConf + .createOptional + + private[spark] val UI_X_CONTENT_TYPE_OPTIONS = +ConfigBuilder("spark.ui.xContentTypeOptions.enabled") + .doc("Set to 'true' for setting X-Content-Type-Options HTTP response header to 'nosniff'") + .stringConf --- End diff -- Making it to Boolean. --- - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] spark pull request #19419: [SPARK-22188] [CORE] Adding security headers for ...
Github user krishna-pandey commented on a diff in the pull request: https://github.com/apache/spark/pull/19419#discussion_r144495051 --- Diff: docs/configuration.md --- @@ -2013,7 +2013,62 @@ Apart from these, the following properties are also available, and may be useful +### HTTP Security Headers +Apache Spark can be configured to include HTTP Headers which aids in preventing Cross +Site Scripting (XSS), Cross-Frame Scripting (XFS), MIME-Sniffing and also enforces HTTP +Strict Transport Security. + + +Property NameDefaultMeaning + +spark.ui.xXssProtection +None + +Value for HTTP X-XSS-Protection response header. You can choose appropriate value +from below: + + 0 (Disables XSS filtering) --- End diff -- Removed the lists, however it is being used in many places in existing configuration.md --- - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] spark pull request #19419: [SPARK-22188] [CORE] Adding security headers for ...
Github user krishna-pandey commented on a diff in the pull request: https://github.com/apache/spark/pull/19419#discussion_r144495102 --- Diff: docs/configuration.md --- @@ -2013,7 +2013,62 @@ Apart from these, the following properties are also available, and may be useful +### HTTP Security Headers +Apache Spark can be configured to include HTTP Headers which aids in preventing Cross +Site Scripting (XSS), Cross-Frame Scripting (XFS), MIME-Sniffing and also enforces HTTP +Strict Transport Security. + + +Property NameDefaultMeaning + +spark.ui.xXssProtection +None + +Value for HTTP X-XSS-Protection response header. You can choose appropriate value +from below: + + 0 (Disables XSS filtering) + 1 (Enables XSS filtering. If a cross-site scripting attack is detected, +the browser will sanitize the page.) + 1; mode=block (Enables XSS filtering. The browser will prevent rendering +of the page if an attack is detected.) + + + + +spark.ui.allowFramingFrom +SAMEORIGIN + +Value for X-Frame-Options HTTP response header +You can provide the "website uri" which can only be displayed in a frame on +the specified origin. + --- End diff -- Done. --- - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] spark issue #19419: [SPARK-22188] [CORE] Adding security headers for prevent...
Github user krishna-pandey commented on the issue: https://github.com/apache/spark/pull/19419 @tgravescs These generic headers are about providing available client-side protection for the application. I also think even if there is no sensitive data to formulate an attack by itself here, the information can be used in conjunction to target other ecosystem components. Also, in future we may add an interface for data access. Now is the time to think of Security First. Cross-site Scripting is one of the most prevalent attack vector and has been an OWASP Top 10 risk for web applications for decades. As the effort to have these in place here is minimal, IMHO we should set these. As you rightly mentioned, deployment on cloud can expand the attack surface pretty wide in absence of right firewall policy. Also let's not forget insider threat inside corporate networks. Going forward may be we will have enough insight to choose which headers are needed to be enabled by default and enforce them from application side and not leave it to Users. --- - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] spark pull request #19419: [SPARK-22188] [CORE] Adding security headers for ...
Github user krishna-pandey commented on a diff in the pull request: https://github.com/apache/spark/pull/19419#discussion_r144348004 --- Diff: core/src/main/scala/org/apache/spark/ui/JettyUtils.scala --- @@ -89,6 +92,13 @@ private[spark] object JettyUtils extends Logging { val result = servletParams.responder(request) response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate") response.setHeader("X-Frame-Options", xFrameOptionsValue) + xXssProtectionValue.foreach(response.setHeader("X-XSS-Protection", _)) +if (xContentTypeOptionsValue.get.equalsIgnoreCase("true")) { + response.setHeader("X-Content-Type-Options", "nosniff") +} +if (conf.get("spark.ssl.enabled").equalsIgnoreCase("true")) { --- End diff -- @jerryshao Thanks for the tip. I will do that. --- - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] spark pull request #19419: [SPARK-22188] [CORE] Adding security headers for ...
Github user krishna-pandey commented on a diff in the pull request: https://github.com/apache/spark/pull/19419#discussion_r144281816 --- Diff: core/src/main/scala/org/apache/spark/ui/JettyUtils.scala --- @@ -89,6 +92,9 @@ private[spark] object JettyUtils extends Logging { val result = servletParams.responder(request) response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate") response.setHeader("X-Frame-Options", xFrameOptionsValue) + xXssProtectionValue.foreach(response.setHeader("X-XSS-Protection", _)) + xContentTypeOptionsValue.foreach(response.setHeader("X-Content-Type-Options", _)) + strictTransportSecurityValue.foreach(response.setHeader("Strict-Transport-Security", _)) --- End diff -- @jerryshao I added a check to set the STS header, only if SSL is enabled. However, STS header was not stopping Browser from rendering the content even when it was set and Spark was running on plain HTTP. Need to get expected behaviour here. https://user-images.githubusercontent.com/6433184/31497151-ba7f7dac-af7b-11e7-99ea-88b64c778b51.png;> --- - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] spark pull request #19419: [SPARK-22188] [CORE] Adding security headers for ...
Github user krishna-pandey commented on a diff in the pull request: https://github.com/apache/spark/pull/19419#discussion_r144262853 --- Diff: core/src/main/scala/org/apache/spark/ui/JettyUtils.scala --- @@ -79,6 +79,9 @@ private[spark] object JettyUtils extends Logging { val allowFramingFrom = conf.getOption("spark.ui.allowFramingFrom") val xFrameOptionsValue = allowFramingFrom.map(uri => s"ALLOW-FROM $uri").getOrElse("SAMEORIGIN") +val xXssProtectionValue = conf.getOption("spark.ui.xXssProtection") --- End diff -- @jerryshao I am not sure if that will add much value in this context apart from following best practices. --- - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] spark pull request #19419: [SPARK-22188] [CORE] Adding security headers for ...
Github user krishna-pandey commented on a diff in the pull request: https://github.com/apache/spark/pull/19419#discussion_r144262264 --- Diff: conf/spark-defaults.conf.template --- @@ -25,3 +25,10 @@ # spark.serializer org.apache.spark.serializer.KryoSerializer # spark.driver.memory 5g # spark.executor.extraJavaOptions -XX:+PrintGCDetails -Dkey=value -Dnumbers="one two three" + +# spark.ui.allowFramingFrom https://www.example.com/ --- End diff -- @srowen , @jerryshao Removed the entries from the config template and put it to configuration doc as suggested. --- - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] spark pull request #19419: [SPARK-22188] [CORE] Adding security headers for ...
Github user krishna-pandey commented on a diff in the pull request: https://github.com/apache/spark/pull/19419#discussion_r144204531 --- Diff: conf/spark-defaults.conf.template --- @@ -25,3 +25,10 @@ # spark.serializer org.apache.spark.serializer.KryoSerializer # spark.driver.memory 5g # spark.executor.extraJavaOptions -XX:+PrintGCDetails -Dkey=value -Dnumbers="one two three" + +# spark.ui.allowFramingFrom https://www.example.com/ +# spark.ui.xXssProtection 1; mode=block +# spark.ui.xContentType.options nosniff + +# Enable below only when Spark is running on HTTPS +# spark.ui.strictTransportSecurity max-age=31536000 --- End diff -- The REQUIRED "max-age" directive specifies the number of seconds, after the reception of the STS header field, during which the UA regards the host (from whom the message was received) as a Known HSTS Host. Here the value is equal to 365 days. More at https://tools.ietf.org/html/rfc6797#section-6.1.1 --- - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] spark pull request #19419: [SPARK-22188] [CORE] Adding security headers for ...
Github user krishna-pandey commented on a diff in the pull request: https://github.com/apache/spark/pull/19419#discussion_r143427428 --- Diff: core/src/main/scala/org/apache/spark/ui/JettyUtils.scala --- @@ -89,6 +92,9 @@ private[spark] object JettyUtils extends Logging { val result = servletParams.responder(request) response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate") response.setHeader("X-Frame-Options", xFrameOptionsValue) + xXssProtectionValue.foreach(response.setHeader("X-XSS-Protection", _)) + xContentTypeOptionsValue.foreach(response.setHeader("X-Content-Type-Options", _)) + strictTransportSecurityValue.foreach(response.setHeader("Strict-Transport-Security", _)) --- End diff -- @jerryshao Out of these three, Strict Transport Security header makes sense, when SSL/TLS is enabled. --- - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] spark issue #19419: [SPARK-22188] [CORE] Adding security headers for prevent...
Github user krishna-pandey commented on the issue: https://github.com/apache/spark/pull/19419 @dongjoon-hyun Made the changes as suggested. --- - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] spark issue #19419: [SPARK-22188] [CORE] Adding security headers for prevent...
Github user krishna-pandey commented on the issue: https://github.com/apache/spark/pull/19419 @dongjoon-hyun Thanks for the review. Made the changes as suggested. --- - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] spark pull request #19419: [SPARK-22188] [CORE] Adding security headers for ...
Github user krishna-pandey commented on a diff in the pull request: https://github.com/apache/spark/pull/19419#discussion_r142708896 --- Diff: conf/spark-defaults.conf.template --- @@ -19,9 +19,16 @@ # This is useful for setting default environmental settings. # Example: -# spark.master spark://master:7077 -# spark.eventLog.enabled true -# spark.eventLog.dir hdfs://namenode:8021/directory -# spark.serializer org.apache.spark.serializer.KryoSerializer -# spark.driver.memory 5g -# spark.executor.extraJavaOptions -XX:+PrintGCDetails -Dkey=value -Dnumbers="one two three" +# spark.master spark://master:7077 +# spark.eventLog.enabledtrue +# spark.eventLog.dirhdfs://namenode:8021/directory +# spark.serializer org.apache.spark.serializer.KryoSerializer +# spark.driver.memory 5g +# spark.executor.extraJavaOptions -XX:+PrintGCDetails -Dkey=value -Dnumbers="one two three" + +#spark.ui.allowFramingFrom https://example.com/ +#spark.ui.xXssProtection.enabled1; mode=block --- End diff -- @srowen renamed the keys as suggested. Thanks again for the review. --- - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] spark pull request #19419: [SPARK-22188] [CORE] Adding security headers for ...
Github user krishna-pandey commented on a diff in the pull request: https://github.com/apache/spark/pull/19419#discussion_r142701588 --- Diff: conf/spark-defaults.conf.template --- @@ -19,9 +19,16 @@ # This is useful for setting default environmental settings. # Example: -# spark.master spark://master:7077 -# spark.eventLog.enabled true -# spark.eventLog.dir hdfs://namenode:8021/directory -# spark.serializer org.apache.spark.serializer.KryoSerializer -# spark.driver.memory 5g -# spark.executor.extraJavaOptions -XX:+PrintGCDetails -Dkey=value -Dnumbers="one two three" +# spark.master spark://master:7077 +# spark.eventLog.enabledtrue +# spark.eventLog.dirhdfs://namenode:8021/directory +# spark.serializer org.apache.spark.serializer.KryoSerializer +# spark.driver.memory 5g +# spark.executor.extraJavaOptions -XX:+PrintGCDetails -Dkey=value -Dnumbers="one two three" + +#spark.ui.allowFramingFrom https://example.com/ +#spark.ui.xXssProtection.enabled1; mode=block +#spark.ui.xContentType.options nosniff + +#Enable below only when Spark is running on HTTPS +#spark.ui.strictTransportSecurity.age max-age=31536000 --- End diff -- I understand that the "max-age" part is common across all values but don't want to tamper the value part for ease and any future compatibility. I will rather remove ".age" to avoid confusion arising out of this. --- - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] spark pull request #19419: [SPARK-22188] [CORE] Adding security headers for ...
Github user krishna-pandey commented on a diff in the pull request: https://github.com/apache/spark/pull/19419#discussion_r142578623 --- Diff: core/src/main/scala/org/apache/spark/ui/JettyUtils.scala --- @@ -89,6 +92,9 @@ private[spark] object JettyUtils extends Logging { val result = servletParams.responder(request) response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate") response.setHeader("X-Frame-Options", xFrameOptionsValue) +response.setHeader("X-XSS-Protection", xXssProtectionValue.get) --- End diff -- @srowen Added the check for if Option exists then set and tested locally. Thanks for the review. --- - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] spark pull request #19419: [SPARK-22188] [CORE] Adding security headers for ...
Github user krishna-pandey commented on a diff in the pull request: https://github.com/apache/spark/pull/19419#discussion_r142578622 --- Diff: core/src/main/scala/org/apache/spark/ui/JettyUtils.scala --- @@ -89,6 +92,9 @@ private[spark] object JettyUtils extends Logging { val result = servletParams.responder(request) response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate") response.setHeader("X-Frame-Options", xFrameOptionsValue) +response.setHeader("X-XSS-Protection", xXssProtectionValue.get) --- End diff -- @srowen Added the check for if Option exists then set and tested locally. Thanks for the review. --- - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] spark pull request #19419: [SPARK-22188] [CORE] Adding security headers for ...
Github user krishna-pandey commented on a diff in the pull request: https://github.com/apache/spark/pull/19419#discussion_r142446016 --- Diff: core/src/main/scala/org/apache/spark/ui/JettyUtils.scala --- @@ -89,6 +92,9 @@ private[spark] object JettyUtils extends Logging { val result = servletParams.responder(request) response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate") response.setHeader("X-Frame-Options", xFrameOptionsValue) +response.setHeader("X-XSS-Protection", xXssProtectionValue.get) --- End diff -- Yes, I will add a check for that. --- - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] spark pull request #19419: [SPARK-22188] [CORE] Adding security headers for ...
Github user krishna-pandey commented on a diff in the pull request: https://github.com/apache/spark/pull/19419#discussion_r142445649 --- Diff: conf/spark-defaults.conf.template --- @@ -19,9 +19,16 @@ # This is useful for setting default environmental settings. # Example: -# spark.master spark://master:7077 -# spark.eventLog.enabled true -# spark.eventLog.dir hdfs://namenode:8021/directory -# spark.serializer org.apache.spark.serializer.KryoSerializer -# spark.driver.memory 5g -# spark.executor.extraJavaOptions -XX:+PrintGCDetails -Dkey=value -Dnumbers="one two three" +# spark.master spark://master:7077 +# spark.eventLog.enabledtrue +# spark.eventLog.dirhdfs://namenode:8021/directory +# spark.serializer org.apache.spark.serializer.KryoSerializer +# spark.driver.memory 5g +# spark.executor.extraJavaOptions -XX:+PrintGCDetails -Dkey=value -Dnumbers="one two three" + +#spark.ui.allowFramingFrom https://example.com/ +#spark.ui.xXssProtection.enabled1; mode=block +#spark.ui.xContentType.options nosniff + +#Enable below only when Spark is running on HTTPS +#spark.ui.strictTransportSecurity.age max-age=31536000 --- End diff -- Yes, "max-age" need to be part of user-supplied string. Possible values can be one from the below set, default one mentioned in template is for optimum secure value commonly used. Strict-Transport-Security: {max-age=\<expire-time\> | max-age=\<expire-time\>; includeSubDomains | max-age=\<expire-time\>; preload} Value is in delta-seconds. More here https://tools.ietf.org/html/rfc6797#section-6.1.1 --- - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] spark pull request #19419: [SPARK-22188] [CORE] Adding security headers for ...
Github user krishna-pandey commented on a diff in the pull request: https://github.com/apache/spark/pull/19419#discussion_r142442356 --- Diff: conf/spark-defaults.conf.template --- @@ -19,9 +19,16 @@ # This is useful for setting default environmental settings. # Example: -# spark.master spark://master:7077 -# spark.eventLog.enabled true -# spark.eventLog.dir hdfs://namenode:8021/directory -# spark.serializer org.apache.spark.serializer.KryoSerializer -# spark.driver.memory 5g -# spark.executor.extraJavaOptions -XX:+PrintGCDetails -Dkey=value -Dnumbers="one two three" +# spark.master spark://master:7077 +# spark.eventLog.enabledtrue +# spark.eventLog.dirhdfs://namenode:8021/directory +# spark.serializer org.apache.spark.serializer.KryoSerializer +# spark.driver.memory 5g +# spark.executor.extraJavaOptions -XX:+PrintGCDetails -Dkey=value -Dnumbers="one two three" + +#spark.ui.allowFramingFrom https://example.com/ +#spark.ui.xXssProtection.enabled1; mode=block --- End diff -- Possible values can be one from the below set, default one mentioned in template is commonly-used and provides effective protection. X-XSS-Protection: { 0 | 1 |1; mode=block | 1; report= } --- - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] spark pull request #19419: Adding security headers for preventing XSS, MitM ...
GitHub user krishna-pandey opened a pull request: https://github.com/apache/spark/pull/19419 Adding security headers for preventing XSS, MitM and MIME sniffing ## What changes were proposed in this pull request? The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. Note: The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header. The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. The HTTP X-Content-Type-Options response header is used to protect against MIME sniffing vulnerabilities. ## How was this patch tested? Checked on my system locally. https://user-images.githubusercontent.com/6433184/31127234-eadf7c0c-a86b-11e7-8e5d-f6ea3f97b210.png;> Please review http://spark.apache.org/contributing.html before opening a pull request. You can merge this pull request into a Git repository by running: $ git pull https://github.com/krishna-pandey/spark SPARK-22188 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/spark/pull/19419.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #19419 commit abb081df1f93fea38b611bcbfe563606783420fd Author: krishna-pandey <krish.pande...@gmail.com> Date: 2017-10-03T13:13:27Z Adding security headers for preventing XSS, MitM and MIME sniffing --- - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org