Google Git
Sign in
apache / kudu / 26ad5ad962fe05af4b69730ffded9414fd13a5e5
commit26ad5ad962fe05af4b69730ffded9414fd13a5e5[log] [tgz]
authorAlexey Serbin <alexey@apache.org>Thu Feb 17 17:54:11 2022 -0800
committerAlexey Serbin <alexey@apache.org>Fri Dec 22 15:07:51 2023 +0000
treef448af4d84eec21f58376643443bef863483d814
parent2871977a362949ef9868485b3cf114b7aedccb51 [diff]
[webserver] add security-related HTTP headers

To please various security scanners, this patch adds the following
HTTP headers into Kudu embedded webserver's responses:
  * Cache-Control (set to 'no-store' by default, see [1])
  * X-Content-Type-Options (set to 'nosniff' by default, see [2])
  * Strict-Transport-Security (see [3] and below for details)

The embedded webserver adds the HTTP strict transport security
(HSTS) header 'Strict-Transport-Security' for responses sent from HTTPS
(i.e. TLS-protected) endpoints if --webserver_hsts_max_age_seconds is
set to a non-negative value.  The header contains the 'max-age'
attribute as specified by the flag, and adds the optional
'includeSubDomains' attribute as per set setting of the
--webserver_hsts_include_sub_domains flag.  The HSTS header isn't added
to the responses sent from plain HTTP endpoints (BTW, it seems most
browsers simply ignore the HSTS header anyway if it's received from
an HTTP, not an HTTPS endpoint).

Essentially, the HSTS header for Kudu is a no-op since the embedded
webserver doesn't serve both HTTP and HTTPS endpoints at the same time:
one can enable one or the other, but never both.  However, many security
scanners almost cry "Security breach" if they don't see the header :)

Adding the HSTS header isn't enabled by default since it could make
other plain HTTP endpoints at the same node/hostname inaccessible.
To enable adding the HSTS header for HTTPS responses, set the
--webserver_hsts_max_age_seconds flag to a non-negative integer.
Enable it with care and only if you know what you are doing!

One extra test added and a few existing ones updated correspondingly
to cover the newly introduced functionality.

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
[2] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
[3] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

Change-Id: Id844b9588196b3d608765d0f16f5caec1c414d41
Reviewed-on: http://gerrit.cloudera.org:8080/18253
Tested-by: Alexey Serbin <alexey@apache.org>
Reviewed-by: Attila Bukor <abukor@apache.org>
2 files changed
tree: f448af4d84eec21f58376643443bef863483d814
  1. build-support/
  2. cmake_modules/
  3. docker/
  4. docs/
  5. examples/
  6. java/
  7. kubernetes/
  8. python/
  9. src/
  10. thirdparty/
  11. www/
  12. .dockerignore
  13. .gitignore
  14. .ycm_extra_conf.py
  15. CMakeLists.txt
  16. CONTRIBUTING.adoc
  17. LICENSE.txt
  18. NOTICE.txt
  19. README.adoc
  20. RELEASING.adoc
  21. version.txt