Setting up HTTP Response Headers for ZeppelinApache Zeppelin can be configured to include HTTP Headers which aids in preventing Cross Site Scripting (XSS), Cross-Frame Scripting (XFS) and also enforces HTTP Strict Transport Security. Apache Zeppelin also has configuration available to set the Application Server Version to desired value. Show
Setting up HTTP Strict Transport Security (HSTS) Response HeaderEnabling HSTS Response Header prevents Man-in-the-middle attacks by automatically redirecting HTTP requests to HTTPS when Zeppelin Server is running on SSL. Read on how to configure SSL for Zeppelin here. Even if web page contains any resource which gets served over HTTP or any HTTP links, it will automatically be redirected to HTTPS for the target domain. It also prevents MITM attack by not allowing User to override the invalid certificate message, when Attacker presents invalid SSL certificate to the User. The following property needs to be updated in the zeppelin-site.xml in order to enable HSTS. You can choose appropriate value for "max-age".
Possible values are:
Read more about HSTS here. Setting up X-XSS-PROTECTION HeaderThe HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari Web browsers that initiates configured action when they detect reflected cross-site scripting (XSS) attacks. The below property to set X-XSS-Protection header is enabled with default value of "1; mode=block" in the zeppelin-site.xml
You can choose appropriate value from below to update the configuration if required.
Read more about HTTP X-XSS-Protection response header here. Setting up X-Frame-Options HeaderThe X-Frame-Options HTTP response header can indicate browser to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites in a The below property to set X-Frame-Options header is enabled with default value of "SAMEORIGIN" in the zeppelin-site.xml
You can choose appropriate value from below to update the configuration if required.
Setting up X-Content-Type-Options HeaderThe HTTP X-Content-Type-Options response header helps to prevent MIME type sniffing attacks. It directs the browser to honor the type specified in the Content-Type header, rather than trying to determine the type from the content itself. The default value The below property to set X-Content-Type-Options header is enabled with default value of "nosniff" in the zeppelin-site.xml
Setting up Server HeaderSecurity conscious organisations does not want to reveal the Application Server name and version to prevent finding this information easily by Attacker while fingerprinting the Application. The exact version number can tell an Attacker if the current Application Server is patched for or vulnerable to certain publicly known CVE associated to it. The below property to mask Jetty server version is enabled by default and configured with value of " " (one whitespace char) in the zeppelin-site.xml
The value can be any "String". Removing this property from configuration will cause Zeppelin to send correct Jetty server version. Also, it can be removed the from response headers and from 300/400/500 HTTP response pages.
Which HTTP response header should be used to prevent attackers from displaying?The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
What are some parts of the HTTP header and why is this important as a security analyst?The name of the header is Content-Security-Policy and its value can be defined with the following directives: default-src , script-src, media-src , img-src . They specify the sources from where the browser should load those types of resources (scripts, media, etc).
What are the security headers?Security headers are directives used by web applications to configure security defenses in web browsers. Based on these directives, browsers can make it harder to exploit client-side vulnerabilities such as Cross-Site Scripting or Clickjacking.
What is missing security headers?Missing Strict Transport Security header means that the application fails to prevent users from connecting to it over unencrypted connections.
|