Krishna Pandey created SPARK-22188:
--------------------------------------
Summary: Add defense against Cross-Site Scripting, MIME-sniffing
and MitM attack
Key: SPARK-22188
URL: https://issues.apache.org/jira/browse/SPARK-22188
Project: Spark
Issue Type: Bug
Components: Spark Core
Affects Versions: 2.2.0
Reporter: Krishna Pandey
Priority: Critical
Below HTTP Response headers can be added to improve security.
The HTTP *Strict-Transport-Security* response header (often abbreviated as
HSTS) is a security feature that lets a web site tell browsers that it should
only be communicated with using HTTPS, instead of using HTTP.
*Note:* The Strict-Transport-Security header is ignored by the browser when
your site is accessed using HTTP; this is because an attacker may intercept
HTTP connections and inject the header or remove it. When your site is accessed
over HTTPS with no certificate errors, the browser knows your site is HTTPS
capable and will honor the Strict-Transport-Security header.
*An example scenario*
You log into a free WiFi access point at an airport and start surfing the web,
visiting your online banking service to check your balance and pay a couple of
bills. Unfortunately, the access point you're using is actually a hacker's
laptop, and they're intercepting your original HTTP request and redirecting you
to a clone of your bank's site instead of the real thing. Now your private data
is exposed to the hacker.
Strict Transport Security resolves this problem; as long as you've accessed
your bank's web site once using HTTPS, and the bank's web site uses Strict
Transport Security, your browser will know to automatically use only HTTPS,
which prevents hackers from performing this sort of man-in-the-middle attack.
*Syntax:*
Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload
Read more at
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
The HTTP *X-XSS-Protection* response header is a feature of Internet Explorer,
Chrome and Safari that stops pages from loading when they detect reflected
cross-site scripting (XSS) attacks.
*Syntax:*
X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=<reporting-uri>
Read more at
http://sss.jjefwfmpqfs.pjnpajmmb.ljpsh.us3.gsr.awhoer.net/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
The HTTP *X-Content-Type-Options* response header is used to protect against
MIME sniffing vulnerabilities. These vulnerabilities can occur when a website
allows users to upload content to a website however the user disguises a
particular file type as something else. This can give them the opportunity to
perform cross-site scripting and compromise the website. Read more at
https://www.keycdn.com/support/x-content-type-options/ and
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
