This is an automated email from the ASF dual-hosted git repository.
alexott pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/zeppelin.git
The following commit(s) were added to refs/heads/master by this push:
new 8952b27 [ZEPPELIN-4723] Enable HTTP security headers by default
8952b27 is described below
commit 8952b27ea45d798305ccece2e1226188f2ee4025
Author: Krishna Pandey <kpan...@cloudera.com>
AuthorDate: Mon Apr 6 13:18:12 2020 +0530
[ZEPPELIN-4723] Enable HTTP security headers by default
### What is this PR for?
Zeppelin when installed with default configuration options doesn't enable
the common web application security headers, e.g.
zeppelin.server.xframe.options, zeppelin.server.xxss.protection,
zeppelin.server.jetty.name, zeppelin.server.xcontent.type.options. This leaves
the Zeppelin installation vulnerable.
### What type of PR is it?
Improvement
### Todos
* Discuss HSTS header config (zeppelin.server.strict.transport) which if
enabled requires TLS to be configured for Zeppelin to work
### What is the Jira issue?
* [ZEPPELIN-4723](https://issues.apache.org/jira/browse/ZEPPELIN-4723)
### How should this be tested?
* Below headers can be verified with received HTTP response
Server:
X-Content-Type-Options: nosniff
X-FRAME-OPTIONS: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Here is Travis test run link which passed:
https://travis-ci.org/github/krishna-pandey/zeppelin/builds/670946421
### Questions:
* Does the licenses files need update? No
* Is there breaking changes for older versions? No
* Does this needs documentation? No
Author: Krishna Pandey <kpan...@cloudera.com>
Closes #3716 from krishna-pandey/ZEPPELIN-4723 and squashes the following
commits:
afde17f07 [Krishna Pandey] Added default config values
01d3040b9 [Krishna Pandey] Added documentation for enabled headers with
default values
f7578adc1 [Krishna Pandey] removed HSTS header, requires TLS config for
Zeppelin to start
6fbd30e12 [Krishna Pandey] Enable HTTP security headers by default
---
conf/zeppelin-site.xml.template | 12 ++----------
docs/setup/security/http_security_headers.md | 16 ++++++++--------
.../org/apache/zeppelin/conf/ZeppelinConfiguration.java | 4 ++--
3 files changed, 12 insertions(+), 20 deletions(-)
diff --git a/conf/zeppelin-site.xml.template b/conf/zeppelin-site.xml.template
index 6d33433..a1368e3 100755
--- a/conf/zeppelin-site.xml.template
+++ b/conf/zeppelin-site.xml.template
@@ -519,13 +519,11 @@
</property>
-->
-<!--
<property>
<name>zeppelin.server.jetty.name</name>
- <value>Jetty(7.6.0.v20120127)</value>
+ <value> </value>
<description>Hardcoding Application Server name to Prevent
Fingerprinting</description>
</property>
--->
<!--
<property>
@@ -565,13 +563,11 @@
</property>
-->
-<!--
<property>
<name>zeppelin.server.xframe.options</name>
<value>SAMEORIGIN</value>
<description>The X-Frame-Options HTTP response header can be used to
indicate whether or not a browser should be allowed to render a page in a
frame/iframe/object.</description>
</property>
--->
<!--
<property>
@@ -580,22 +576,18 @@
<description>The HTTP Strict-Transport-Security response header is a
security feature that lets a web site tell browsers that it should only be
communicated with using HTTPS, instead of using HTTP. Enable this when Zeppelin
is running on HTTPS. Value is in Seconds, the default value is equivalent to 20
years.</description>
</property>
-->
-<!--
<property>
<name>zeppelin.server.xxss.protection</name>
- <value>1</value>
+ <value>1; mode=block</value>
<description>The HTTP X-XSS-Protection response header is a feature of
Internet Explorer, Chrome and Safari that stops pages from loading when they
detect reflected cross-site scripting (XSS) attacks. When value is set to 1 and
a cross-site scripting attack is detected, the browser will sanitize the page
(remove the unsafe parts).</description>
</property>
--->
-<!--
<property>
<name>zeppelin.server.xcontent.type.options</name>
<value>nosniff</value>
<description>The HTTP X-Content-Type-Options response header helps to
prevent MIME type sniffing attacks. It directs the browser to honor the type
specified in the Content-Type header, rather than trying to determine the type
from the content itself. The default value "nosniff" is really the only
meaningful value. This header is supported on all browsers except Safari and
Safari on iOS.</description>
</property>
--->
<!--
<property>
diff --git a/docs/setup/security/http_security_headers.md
b/docs/setup/security/http_security_headers.md
index 9fcb9f4..b93e0e1 100644
--- a/docs/setup/security/http_security_headers.md
+++ b/docs/setup/security/http_security_headers.md
@@ -53,7 +53,7 @@ Read more about HSTS
[here](https://developer.mozilla.org/en-US/docs/Web/HTTP/He
The HTTP X-XSS-Protection response header is a feature of Internet Explorer,
Chrome and Safari Web browsers that initiates configured action when they
detect reflected cross-site scripting (XSS) attacks.
-The following property needs to be updated in the zeppelin-site.xml in order
to set X-XSS-PROTECTION header.
+The below property to set X-XSS-Protection header is enabled with default
value of "1; mode=block" in the zeppelin-site.xml
```xml
<property>
@@ -64,7 +64,7 @@ The following property needs to be updated in the
zeppelin-site.xml in order to
```
-You can choose appropriate value from below.
+You can choose appropriate value from below to update the configuration if
required.
* 0 (Disables XSS filtering)
* 1 (Enables XSS filtering. If a cross-site scripting attack is detected, the
browser will sanitize the page.)
@@ -76,7 +76,7 @@ Read more about HTTP X-XSS-Protection response header
[here](https://developer.m
The X-Frame-Options HTTP response header can indicate browser to avoid
clickjacking attacks, by ensuring that their content is not embedded into other
sites in a `<frame>`,`<iframe>` or `<object>`.
-The following property needs to be updated in the zeppelin-site.xml in order
to set X-Frame-Options header.
+The below property to set X-Frame-Options header is enabled with default value
of "SAMEORIGIN" in the zeppelin-site.xml
```xml
<property>
@@ -87,7 +87,7 @@ The following property needs to be updated in the
zeppelin-site.xml in order to
```
-You can choose appropriate value from below.
+You can choose appropriate value from below to update the configuration if
required.
* `DENY`
* `SAMEORIGIN`
@@ -97,7 +97,7 @@ You can choose appropriate value from below.
The HTTP X-Content-Type-Options response header helps to prevent MIME type
sniffing attacks. It directs the browser to honor the type specified in the
Content-Type header, rather than trying to determine the type from the content
itself. The default value `nosniff` is really the only meaningful value. This
header is supported on all browsers except Safari and Safari on iOS.
-Zeppelin server will add this header to HTTP response by default. The
following property needs to be updated in the zeppelin-site.xml in order to
change X-Content-Type-Options header value.
+The below property to set X-Content-Type-Options header is enabled with
default value of "nosniff" in the zeppelin-site.xml
```xml
<property>
@@ -111,14 +111,14 @@ Zeppelin server will add this header to HTTP response by
default. The following
Security conscious organisations does not want to reveal the Application
Server name and version to prevent finding this information easily by Attacker
while fingerprinting the Application. The exact version number can tell an
Attacker if the current Application Server is patched for or vulnerable to
certain publicly known CVE associated to it.
-The following property needs to be updated in the zeppelin-site.xml in order
to set Server header.
+The below property to mask Jetty server version is enabled by default and
configured with value of " " (one whitespace char) in the zeppelin-site.xml
```xml
<property>
<name>zeppelin.server.jetty.name</name>
- <value>Jetty(7.6.0.v20120127)</value>
+ <value> </value>
<description>Hardcoding Application Server name to Prevent
Fingerprinting</description>
</property>
```
-The value can be any "String".
\ No newline at end of file
+The value can be any "String". Removing this property from configuration will
cause Zeppelin to send correct Jetty server version.
\ No newline at end of file
diff --git
a/zeppelin-interpreter/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
b/zeppelin-interpreter/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
index 75391de..1be243f 100644
---
a/zeppelin-interpreter/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
+++
b/zeppelin-interpreter/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
@@ -954,14 +954,14 @@ public class ZeppelinConfiguration extends
XMLConfiguration {
ZEPPELIN_WEBSOCKET_MAX_TEXT_MESSAGE_SIZE("zeppelin.websocket.max.text.message.size",
"10240000"),
ZEPPELIN_SERVER_DEFAULT_DIR_ALLOWED("zeppelin.server.default.dir.allowed",
false),
ZEPPELIN_SERVER_XFRAME_OPTIONS("zeppelin.server.xframe.options",
"SAMEORIGIN"),
- ZEPPELIN_SERVER_JETTY_NAME("zeppelin.server.jetty.name", null),
+ ZEPPELIN_SERVER_JETTY_NAME("zeppelin.server.jetty.name", " "),
ZEPPELIN_SERVER_JETTY_THREAD_POOL_MAX("zeppelin.server.jetty.thread.pool.max",
400),
ZEPPELIN_SERVER_JETTY_THREAD_POOL_MIN("zeppelin.server.jetty.thread.pool.min",
8),
ZEPPELIN_SERVER_JETTY_THREAD_POOL_TIMEOUT("zeppelin.server.jetty.thread.pool.timeout",
30),
ZEPPELIN_SERVER_JETTY_REQUEST_HEADER_SIZE("zeppelin.server.jetty.request.header.size",
8192),
ZEPPELIN_SERVER_AUTHORIZATION_HEADER_CLEAR("zeppelin.server.authorization.header.clear",
true),
ZEPPELIN_SERVER_STRICT_TRANSPORT("zeppelin.server.strict.transport",
"max-age=631138519"),
- ZEPPELIN_SERVER_X_XSS_PROTECTION("zeppelin.server.xxss.protection", "1"),
+ ZEPPELIN_SERVER_X_XSS_PROTECTION("zeppelin.server.xxss.protection", "1;
mode=block"),
ZEPPELIN_SERVER_X_CONTENT_TYPE_OPTIONS("zeppelin.server.xcontent.type.options",
"nosniff"),
ZEPPELIN_SERVER_KERBEROS_KEYTAB("zeppelin.server.kerberos.keytab", ""),
