Modern Web-Browsers come with few inbuilt defenses for common web attacks but we need to enable our web applications to use them.
Recently support for many such HTTP response headers were added to Zeppelin to thwart common attacks like Cross-site scripting, ClickJacking, Man-in-the-Middle and SSL Downgrade attacks which Browsers can use to enable client-side security features.
We need to configure the properties in zeppelin-site.xml listed below to enable the supported security headers.
1. The "zeppelin.server.xxss.protection" property needs to be updated in the zeppelin-site.xml in order to set X-XSS-PROTECTION header.
The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
When value is set to "1; mode=block", the browser will enable XSS filtering and prevent rendering of the page if an attack is detected.
When value is set to "0", it turns off the protection against XSS attacks and disables XSS filtering by Web-Browsers.
When value is set to "1" and a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).
2. The "zeppelin.server.xframe.options" property needs to be updated in the zeppelin-site.xml in order to set X-Frame-Options header. The X-Frame-Options HTTP response header can indicate browser to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites in a <frame>,<iframe> or <object>.
When value is set to "DENY", the web page cannot be displayed in a frame, regardless of the site attempting to do so.
When value is set to "SAMEORIGIN", the web page can only be displayed in a frame on the same origin as the page itself.
When value is set to "ALLOW-FROM <uri>", the web page can only be displayed in a frame on the specified origin i.e. given URI value.
3. The "zeppelin.server.strict.transport" property needs to be updated in the zeppelin-site.xml in order to enable HSTS.
Enabling HSTS Response Header prevents Man-in-the-middle attacks by automatically redirecting HTTP requests to HTTPS when Zeppelin Server is running on SSL. Even if web page contains any resource which gets served over HTTP or any HTTP links, it will automatically be redirected to HTTPS for the target domain. It also prevents MITM attack by not allowing User to override the invalid certificate message, when Attacker presents invalid SSL certificate to the User.
The REQUIRED "max-age" directive specifies the number of seconds, after the reception of the STS header field, during which the User Agent (Web Browsers) regards the host (from whom the message was received) as a Known HSTS Host. Please set the "max-age" value as per your requirement.
max-age=<expire-time> - The 'expire-time', time in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
max-age=<expire-time>; includeSubDomains - The 'includeSubDomains' flag is useful if all present and future subdomains will be HTTPS. Please be aware that this will block access to certain pages that can only be served over HTTP.
max-age=<expire-time>; preload - The 'preload' flag indicates the site owner's consent to have their domain preloaded. The site owner still needs to then go and submit the domain to the HSTS preload list maintained by Google Chrome (and used by Firefox and Safari).