Rajkumar Singh created HIVE-21902:
-------------------------------------
Summary: HiveServer2 UI: Adding X-XSS-Protection,
X-Content-Type-Options to jetty response header
Key: HIVE-21902
URL: https://issues.apache.org/jira/browse/HIVE-21902
Project: Hive
Issue Type: Improvement
Reporter: Rajkumar Singh
some vulnerability are reported for webserver ui
X-Frame-Options or Content-Security-Policy: frame-ancestors HTTP Headers
missing on port 10002.
{code}
GET / HTTP/1.1
Host: HOSTNAME:10002
Connection: Keep-Alive
X-XSS-Protection HTTP Header missing on port 10002.
X-Content-Type-Options HTTP Header missing on port 10002.
{code}
after the proposed changes
{code}
HTTP/1.1 200 OK
Date: Thu, 20 Jun 2019 05:29:59 GMT
Content-Type: text/html;charset=utf-8
X-Content-Type-Options: nosniff
X-FRAME-OPTIONS: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Set-Cookie: JSESSIONID=15kscuow9cmy7qms6dzaxllqt;Path=/
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 3824
Server: Jetty(9.3.25.v20180904)
{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
