[ https://issues.apache.org/jira/browse/YARN-8198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16452389#comment-16452389 ]
Kanwaljeet Sachdev commented on YARN-8198: ------------------------------------------ [~rkanter], let me know your thoughts on the patch > Add Security-Related HTTP Response Header in Yarn WEBUIs. > --------------------------------------------------------- > > Key: YARN-8198 > URL: https://issues.apache.org/jira/browse/YARN-8198 > Project: Hadoop YARN > Issue Type: Improvement > Components: yarn > Reporter: Kanwaljeet Sachdev > Assignee: Kanwaljeet Sachdev > Priority: Major > Labels: security > Attachments: YARN-8198.001.patch, YARN-8198.002.patch, > YARN-8198.003.patch > > > As of today, YARN web-ui lacks certain security related http response > headers. We are planning to add few default ones and also add support for > headers to be able to get added via xml config. Planning to make the below > two as default. > * X-XSS-Protection: 1; mode=block > * X-Content-Type-Options: nosniff > > Support for headers via config properties in core-site.xml will be along the > below lines > {code:java} > <property> > <name>hadoop.http.header.Strict_Transport_Security</name> > <value>valHSTSFromXML</value> > </property>{code} > > A regex matcher will lift these properties and add into the response header > when Jetty prepares the response. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org