It's authenticated with LDAP. Am talking about Cross Origin Resource Sharing issue. For which there are configuration recommended to harden the https headers.
https://issues.apache.org/jira/plugins/servlet/mobile#issue/ZEPPELIN-245 I have followed the steps here https://zeppelin.apache.org/docs/0.7.3/security/http_security_headers.html but that does t seem to fix the vulnerability. On Thu., 13 Dec. 2018, 5:13 pm Tushar Kapila <tgkp...@gmail.com wrote: > If it is exposed and you don't want unauthorized users to read or write > you need to add authentication. Apache Shirio or make zeplin port private > (behind firewall) and proxy all requests thru a server that has the > authentication you want. > > > > On Thu, 13 Dec, 2018, 11:12 Tushar Kapila <tgkp...@gmail.com wrote: > >> Is your zeplin exposed to the internet? If not don't see why this should >> be an issue if it's behind the firewall? >> >> On Wed, 12 Dec, 2018, 03:57 Bicky Ealias <bickyeal...@gmail.com wrote: >> >>> Checking again.. Has anyone got a chance to fix CORS issue on Zeppelin? >>> >>> On Wed., 5 Dec. 2018, 5:55 pm Bicky Ealias <bickyeal...@gmail.com wrote: >>> >>>> Hello users, >>>> Has anyone succeeded in hardening Zeppelin against CORS vulnerability? >>>> ---------- Forwarded message --------- >>>> >>>> *From: *Jeff Zhang <zjf...@gmail.com> >>>> *Date: *Tuesday, 4 December 2018 at 5:05 pm >>>> *To: *"Ealias, Bicky" <bicky.eal...@cba.com.au> >>>> *Subject: *Re: CORS policy in Zeppelin >>>> >>>> >>>> >>>> Sorry,I don't know about this, could you ask this in zeppelin user >>>> mail list ? >>>> >>>> >>>> >>>> Ealias, Bicky <bicky.eal...@cba.com.au> 于2018年12月4日周二 上午10:55写道: >>>> >>>> Hi Jeff, >>>> >>>> Hope you are doing well. >>>> >>>> Recently we had penetration testing done on zeppelin,and one >>>> vulnerability that came forward is issue with Zeppelin’s HTML2 CORS policy, >>>> >>>> We are on version 0.8.0.I added these configurations as per the >>>> documentation: >>>> >>>> >>>> >>>> >>>> https://zeppelin.apache.org/docs/0.8.0/setup/security/http_security_headers.html >>>> But still that doesn’t seem to fix the issue. >>>> >>>> https://issues.apache.org/jira/browse/ZEPPELIN-245 I see this ticket >>>> but the comment says its fixed in 0.6.0 already. >>>> >>>> ..Are there some other settings I can change? >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> *CommonwealthBank* >>>> >>>> [image: cid:image001.png@01D40715.7FFFB880] >>>> >>>> Bicky Eailas >>>> Analytics & Information >>>> Level 17, 255 Pitt St, Sydney NSW 2000 >>>> M: 0406949642 >>>> E: bicky.eal...@cba.com.au >>>> >>>> *Our vision…To excel at securing and enhancing the **financial >>>> wellbeing** of people, businesses and communities.* >>>> >>>> >>>> >>>> [image: cid:image003.png@01D40715.A8C27190] >>>> >>>> >>>> >>>> ************** IMPORTANT MESSAGE ***************************** >>>> This e-mail message is intended only for the addressee(s) and contains >>>> information which may be >>>> confidential. >>>> If you are not the intended recipient please advise the sender by >>>> return email, do not use or >>>> disclose the contents, and delete the message and any attachments from >>>> your system. Unless >>>> specifically indicated, this email does not constitute formal advice or >>>> commitment by the sender >>>> or the Commonwealth Bank of Australia (ABN 48 123 123 124 AFSL and >>>> Australian credit licence 234945) >>>> or its subsidiaries. >>>> We can be contacted through our web site: commbank.com.au. >>>> If you no longer wish to receive commercial electronic messages from >>>> us, please reply to this >>>> e-mail by typing Unsubscribe in the subject line. >>>> ************************************************************** >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> Best Regards >>>> >>>> Jeff Zhang >>>> >>>> ************** IMPORTANT MESSAGE ***************************** >>>> This e-mail message is intended only for the addressee(s) and contains >>>> information which may be >>>> confidential. >>>> If you are not the intended recipient please advise the sender by >>>> return email, do not use or >>>> disclose the contents, and delete the message and any attachments from >>>> your system. Unless >>>> specifically indicated, this email does not constitute formal advice or >>>> commitment by the sender >>>> or the Commonwealth Bank of Australia (ABN 48 123 123 124 AFSL and >>>> Australian credit licence 234945) >>>> or its subsidiaries. >>>> We can be contacted through our web site: commbank.com.au. >>>> If you no longer wish to receive commercial electronic messages from >>>> us, please reply to this >>>> e-mail by typing Unsubscribe in the subject line. >>>> ************************************************************** >>>> >>>