zeppelin/docs/setup/security/http_security_headers.md
Alex Ott ebca7aed7c Miscellaneous documentation fixes
### What is this PR for?

This PR contains miscellaneous fixes & improvements for documentation:

- fixes for code snippets formatting, like, https://zeppelin.apache.org/docs/0.8.0-SNAPSHOT/setup/security/shiro_authentication.html#apply-multiple-roles-in-shiro-configuration
- fixes syntax highlighting (adding `scala`, `xml`, `java`, `bash`, ...)
- fixes for list of interpreters
- ...

### What type of PR is it?
Documentation

Author: Alex Ott <alexott@gmail.com>

Closes #2997 from alexott/doc-formatting-fixes and squashes the following commits:

10eed86ca [Alex Ott] Merge branch 'master' into doc-formatting-fixes
37a2bb778 [Alex Ott] miscellaneous fixes - wording, formatting, etc.
63ca2b0e2 [Alex Ott] fix usage of the ``` markup that lead to broken formatting
9d285a1b7 [Alex Ott] Fix list of interpreters
5a7950e79 [Alex Ott] add missing language spec for syntax highlighting
bb26a2954 [Alex Ott] use same formatting for parser name
c90b61f11 [Alex Ott] use same capitalization in all interpreter names
a994f4ecf [Alex Ott] improve formatting for Cassandra interpreter docs
2018-06-20 22:30:14 +08:00

5.2 KiB

layout title description group
page Setting up HTTP Response Headers There are multiple HTTP Security Headers which can be configured in Apache Zeppelin. This page describes how to enable them by providing appropriate value in Zeppelin configuration file. setup/security

{% include JB/setup %}

Setting up HTTP Response Headers for Zeppelin

Apache Zeppelin can be configured to include HTTP Headers which aids in preventing Cross Site Scripting (XSS), Cross-Frame Scripting (XFS) and also enforces HTTP Strict Transport Security. Apache Zeppelin also has configuration available to set the Application Server Version to desired value.

Setting up HTTP Strict Transport Security (HSTS) Response Header

Enabling HSTS Response Header prevents Man-in-the-middle attacks by automatically redirecting HTTP requests to HTTPS when Zeppelin Server is running on SSL. Read on how to configure SSL for Zeppelin [here] (../operation/configuration.html). Even if web page contains any resource which gets served over HTTP or any HTTP links, it will automatically be redirected to HTTPS for the target domain. It also prevents MITM attack by not allowing User to override the invalid certificate message, when Attacker presents invalid SSL certificate to the User.

The following property needs to be updated in the zeppelin-site.xml in order to enable HSTS. You can choose appropriate value for "max-age".

<property>
  <name>zeppelin.server.strict.transport</name>
  <value>max-age=631138519</value>
  <description>The HTTP Strict-Transport-Security response header is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. Enable this when Zeppelin is running on HTTPS. Value is in Seconds, the default value is equivalent to 20 years.</description>
</property>

Possible values are:

  • max-age=<expire-time>
  • max-age=<expire-time>; includeSubDomains
  • max-age=<expire-time>; preload

Read more about HSTS here.

Setting up X-XSS-PROTECTION Header

The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari Web browsers that initiates configured action when they detect reflected cross-site scripting (XSS) attacks.

The following property needs to be updated in the zeppelin-site.xml in order to set X-XSS-PROTECTION header.

<property>
  <name>zeppelin.server.xxss.protection</name>
  <value>1; mode=block</value>
  <description>The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. When value is set to 1 and a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).</description>
</property>

You can choose appropriate value from below.

  • 0 (Disables XSS filtering)
  • 1 (Enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page.)
  • 1; mode=block (Enables XSS filtering. The browser will prevent rendering of the page if an attack is detected.)

Read more about HTTP X-XSS-Protection response header here.

Setting up X-Frame-Options Header

The X-Frame-Options HTTP response header can indicate browser to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites in a <frame>,<iframe> or <object>.

The following property needs to be updated in the zeppelin-site.xml in order to set X-Frame-Options header.

<property>
  <name>zeppelin.server.xframe.options</name>
  <value>SAMEORIGIN</value>
  <description>The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a frame/iframe/object.</description>
</property>

You can choose appropriate value from below.

  • DENY
  • SAMEORIGIN
  • ALLOW-FROM uri

Setting up Server Header

Security conscious organisations does not want to reveal the Application Server name and version to prevent finding this information easily by Attacker while fingerprinting the Application. The exact version number can tell an Attacker if the current Application Server is patched for or vulnerable to certain publicly known CVE associated to it.

The following property needs to be updated in the zeppelin-site.xml in order to set Server header.

<property>
    <name>zeppelin.server.jetty.name</name>
    <value>Jetty(7.6.0.v20120127)</value>
    <description>Hardcoding Application Server name to Prevent Fingerprinting</description>
</property>

The value can be any "String".