Repository: spark Updated Branches: refs/heads/master dc2714da5 -> 5a07aca4d
[SPARK-22188][CORE] Adding security headers for preventing XSS, MitM and MIME sniffing ## What changes were proposed in this pull request? The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. Note: The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header. The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. The HTTP X-Content-Type-Options response header is used to protect against MIME sniffing vulnerabilities. ## How was this patch tested? Checked on my system locally. <img width="750" alt="screen shot 2017-10-03 at 6 49 20 pm" src="https://user-images.githubusercontent.com/6433184/31127234-eadf7c0c-a86b-11e7-8e5d-f6ea3f97b210.png";> Author: krishna-pandey <[email protected]> Author: Krishna Pandey <[email protected]> Closes #19419 from krishna-pandey/SPARK-22188. Project: http://git-wip-us.apache.org/repos/asf/spark/repo Commit: http://git-wip-us.apache.org/repos/asf/spark/commit/5a07aca4 Tree: http://git-wip-us.apache.org/repos/asf/spark/tree/5a07aca4 Diff: http://git-wip-us.apache.org/repos/asf/spark/diff/5a07aca4 Branch: refs/heads/master Commit: 5a07aca4d464e96d75ea17bf6768e24b829872ec Parents: dc2714d Author: krishna-pandey <[email protected]> Authored: Thu Oct 19 08:33:14 2017 +0100 Committer: Sean Owen <[email protected]> Committed: Thu Oct 19 08:33:14 2017 +0100 ---------------------------------------------------------------------- .../apache/spark/internal/config/package.scala | 18 ++++++++ .../scala/org/apache/spark/ui/JettyUtils.scala | 9 ++++ docs/security.md | 47 ++++++++++++++++++++ 3 files changed, 74 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/spark/blob/5a07aca4/core/src/main/scala/org/apache/spark/internal/config/package.scala ---------------------------------------------------------------------- diff --git a/core/src/main/scala/org/apache/spark/internal/config/package.scala b/core/src/main/scala/org/apache/spark/internal/config/package.scala index 0c36bdc..6f0247b 100644 --- a/core/src/main/scala/org/apache/spark/internal/config/package.scala +++ b/core/src/main/scala/org/apache/spark/internal/config/package.scala @@ -452,6 +452,24 @@ package object config { .toSequence .createWithDefault(Nil) + private[spark] val UI_X_XSS_PROTECTION = + ConfigBuilder("spark.ui.xXssProtection") + .doc("Value for HTTP X-XSS-Protection response header") + .stringConf + .createWithDefaultString("1; mode=block") + + private[spark] val UI_X_CONTENT_TYPE_OPTIONS = + ConfigBuilder("spark.ui.xContentTypeOptions.enabled") + .doc("Set to 'true' for setting X-Content-Type-Options HTTP response header to 'nosniff'") + .booleanConf + .createWithDefault(true) + + private[spark] val UI_STRICT_TRANSPORT_SECURITY = + ConfigBuilder("spark.ui.strictTransportSecurity") + .doc("Value for HTTP Strict Transport Security Response Header") + .stringConf + .createOptional + private[spark] val EXTRA_LISTENERS = ConfigBuilder("spark.extraListeners") .doc("Class names of listeners to add to SparkContext during initialization.") .stringConf http://git-wip-us.apache.org/repos/asf/spark/blob/5a07aca4/core/src/main/scala/org/apache/spark/ui/JettyUtils.scala ---------------------------------------------------------------------- diff --git a/core/src/main/scala/org/apache/spark/ui/JettyUtils.scala b/core/src/main/scala/org/apache/spark/ui/JettyUtils.scala index 5ee04da..0adeb40 100644 --- a/core/src/main/scala/org/apache/spark/ui/JettyUtils.scala +++ b/core/src/main/scala/org/apache/spark/ui/JettyUtils.scala @@ -39,6 +39,7 @@ import org.json4s.jackson.JsonMethods.{pretty, render} import org.apache.spark.{SecurityManager, SparkConf, SSLOptions} import org.apache.spark.internal.Logging +import org.apache.spark.internal.config._ import org.apache.spark.util.Utils /** @@ -89,6 +90,14 @@ private[spark] object JettyUtils extends Logging { val result = servletParams.responder(request) response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate") response.setHeader("X-Frame-Options", xFrameOptionsValue) + response.setHeader("X-XSS-Protection", conf.get(UI_X_XSS_PROTECTION)) + if (conf.get(UI_X_CONTENT_TYPE_OPTIONS)) { + response.setHeader("X-Content-Type-Options", "nosniff") + } + if (request.getScheme == "https") { + conf.get(UI_STRICT_TRANSPORT_SECURITY).foreach( + response.setHeader("Strict-Transport-Security", _)) + } response.getWriter.print(servletParams.extractFn(result)) } else { response.setStatus(HttpServletResponse.SC_FORBIDDEN) http://git-wip-us.apache.org/repos/asf/spark/blob/5a07aca4/docs/security.md ---------------------------------------------------------------------- diff --git a/docs/security.md b/docs/security.md index 1d00400..15aadf0 100644 --- a/docs/security.md +++ b/docs/security.md @@ -186,7 +186,54 @@ configure those ports. </tr> </table> +### HTTP Security Headers + +Apache Spark can be configured to include HTTP Headers which aids in preventing Cross +Site Scripting (XSS), Cross-Frame Scripting (XFS), MIME-Sniffing and also enforces HTTP +Strict Transport Security. + +<table class="table"> +<tr><th>Property Name</th><th>Default</th><th>Meaning</th></tr> +<tr> + <td><code>spark.ui.xXssProtection</code></td> + <td><code>1; mode=block</code></td> + <td> + Value for HTTP X-XSS-Protection response header. You can choose appropriate value + from below: + <ul> + <li><code>0</code> (Disables XSS filtering)</li> + <li><code>1</code> (Enables XSS filtering. If a cross-site scripting attack is detected, + the browser will sanitize the page.)</li> + <li><code>1; mode=block</code> (Enables XSS filtering. The browser will prevent rendering + of the page if an attack is detected.)</li> + </ul> + </td> +</tr> +<tr> + <td><code>spark.ui.xContentTypeOptions.enabled</code></td> + <td><code>true</code></td> + <td> + When value is set to "true", X-Content-Type-Options HTTP response header will be set + to "nosniff". Set "false" to disable. + </td> + </tr> +<tr> + <td><code>spark.ui.strictTransportSecurity</code></td> + <td>None</td> + <td> + Value for HTTP Strict Transport Security (HSTS) Response Header. You can choose appropriate + value from below and set <code>expire-time</code> accordingly, when Spark is SSL/TLS enabled. + <ul> + <li><code>max-age=<expire-time></code></li> + <li><code>max-age=<expire-time>; includeSubDomains</code></li> + <li><code>max-age=<expire-time>; preload</code></li> + </ul> + </td> +</tr> +</table> + See the [configuration page](configuration.html) for more details on the security configuration parameters, and <a href="{{site.SPARK_GITHUB_URL}}/tree/master/core/src/main/scala/org/apache/spark/SecurityManager.scala"> <code>org.apache.spark.SecurityManager</code></a> for implementation details about security. + --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
![https://user-images.githubusercontent.com/6433184/31127234-eadf7c0c-a86b-11e7-8e5d-f6ea3f97b210.png"](https://user-images.githubusercontent.com/6433184/31127234-eadf7c0c-a86b-11e7-8e5d-f6ea3f97b210.png"){kind=link}