Elgato_dark/zeppelin
1
0
Fork 0
mirror of https://github.com/apache/zeppelin synced 2026-05-24 09:38:26 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Added configurable Strict-Transport-Security and X-XSS-Protection Headers

Browse source
This commit is contained in:
krishna-pandey 2017-07-14 17:04:36 +05:30
parent ebb6591d84
commit 468231cc65
3 changed files with 31 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
conf/zeppelin-site.xml.template
View file

@ -396,4 +396,18 @@
</property>
-->
<!--
<property>
<name>zeppelin.server.strict.transport</name>
<value>max-age=631138519</value>
<description>The HTTP Strict-Transport-Security response header is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. Enable this when Zeppelin is running on HTTPS.Set value is in Seconds equivalent to 20 years.</description>
</property>
-->
<!--
<property>
<name>zeppelin.server.xxss.protection</name>
<value>1</value>
<description>The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. When value is set to 1 and a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).</description>
</property>
-->
</configuration>

7
zeppelin-server/src/main/java/org/apache/zeppelin/server/CorsFilter.java
View file

@ -80,7 +80,12 @@ public class CorsFilter implements Filter {
DateFormat fullDateFormatEN =
DateFormat.getDateTimeInstance(DateFormat.FULL, DateFormat.FULL, new Locale("EN", "en"));
response.addHeader("Date", fullDateFormatEN.format(new Date()));
response.addHeader("X-FRAME-OPTIONS", ZeppelinConfiguration.create().getXFrameOptions());
ZeppelinConfiguration zeppelinConfiguration = ZeppelinConfiguration.create();
response.addHeader("X-FRAME-OPTIONS", zeppelinConfiguration.getXFrameOptions());
if (zeppelinConfiguration.useSsl()) {
response.addHeader("Strict-Transport-Security", zeppelinConfiguration.getStrictTransport());
}
response.addHeader("X-XSS-Protection", zeppelinConfiguration.getXxssProtection());
}
@Override

12
zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
View file

@ -515,6 +515,14 @@ public class ZeppelinConfiguration extends XMLConfiguration {
return getString(ConfVars.ZEPPELIN_SERVER_XFRAME_OPTIONS);
}
public String getXxssProtection() {
return getString(ConfVars.ZEPPELIN_SERVER_X_XSS_PROTECTION);
}
public String getStrictTransport() {
return getString(ConfVars.ZEPPELIN_SERVER_STRICT_TRANSPORT);
}
public Map<String, String> dumpConfigurations(ZeppelinConfiguration conf,
ConfigurationKeyPredicate predicate) {
@ -671,7 +679,9 @@ public class ZeppelinConfiguration extends XMLConfiguration {
ZEPPELIN_WEBSOCKET_MAX_TEXT_MESSAGE_SIZE("zeppelin.websocket.max.text.message.size", "1024000"),
ZEPPELIN_SERVER_DEFAULT_DIR_ALLOWED("zeppelin.server.default.dir.allowed", false),
ZEPPELIN_SERVER_XFRAME_OPTIONS("zeppelin.server.xframe.options", "SAMEORIGIN"),
ZEPPELIN_SERVER_JETTY_NAME("zeppelin.server.jetty.name", null);
ZEPPELIN_SERVER_JETTY_NAME("zeppelin.server.jetty.name", null),
ZEPPELIN_SERVER_STRICT_TRANSPORT("zeppelin.server.strict.transport", "max-age=631138519"),
ZEPPELIN_SERVER_X_XSS_PROTECTION("zeppelin.server.xxss.protection", 1);
private String varName;
@SuppressWarnings("rawtypes")