mirror of
https://github.com/apache/zeppelin
synced 2026-05-24 09:38:26 +00:00
780f0ebb43
### What is this PR for? The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. Note: The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header. The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. ### What type of PR is it? [Bug Fix | Improvement ] ### What is the Jira issue? * [ZEPPELIN-2775](https://issues.apache.org/jira/browse/ZEPPELIN-2775) ### How should this be tested? Make a curl call to Zeppelin? Go to Chrome Browser and select "More Tools" -> "Developer Tools" from the right-side menu. Under Network Section, select any request and check for "Response Headers". You should see below headers along with existing ones. > strict-transport-security:max-age=631138519 > x-xss-protection:1; mode=block <img width="1436" alt="screen shot 2017-07-14 at 8 19 14 pm" src="https://user-images.githubusercontent.com/6433184/28217231-16ce6cee-68d2-11e7-91aa-77ad083612c7.png"> ### Questions: * Does this needs documentation? Author: krishna-pandey <krish.pandey21@gmail.com> Closes #2492 from krishna-pandey/ZEPPELIN-2775 and squashes the following commits: |
||
|---|---|---|
| .. | ||
| JB | ||
| themes/zeppelin | ||
