Configuring Security Headers for Web Servers

This section describes how to configure response headers for REST API servers used in Hive WebHCat and the HiveServer2 web UI.

About the Headers File

The XML file with security headers is located at:
/opt/mapr/hive/hive-<version>/conf/headres.xml
The headres.xml file contains the following headers:
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
<properties>
  <entry key="X-Content-Type-Options">nosniff</entry>
  <entry key="X-XSS-Protection">1; mode=block</entry>
  <entry key="Strict-Transport-Security">max-age=31536000; includeSubDomains</entry>
  <entry key="Content-Security-Policy">default-src https:</entry>
</properties>

This table describes each header:

Header Description Default Value
X-XSS-Protection Stops pages from loading when reflected cross-site scripting (XSS) is detected. Supported by IE, Chrome, and Safari. 1: mode=block
X-Content-Type-Options Indicates that the MIME types advertised in the Content-Type headers should not be changed and should be followed. nosniff
Strict-Transport-Security Tells all browsers that the website should only be accessed using HTTPS instead of using HTTP. max-age=31536000;includeSubDomains
Content-Security-Policy Allows web-site administrators to control resources the user agent is allowed to load for a given page. This helps guard against cross-site scripting attacks (XSS). default-src https:

Configuring Security Headers for WebHCat

To enable security headers for WebHCat, add the following to the webhcat-site.xml file, and replace <version> with your Hive version:
<property>
<name>templeton.jetty.response.headers.file</name>
<value>/opt/mapr/hive/hive-<version>/conf/headers.xml</value>
</property>
After configuring and restarting WebHCat, you should see security headers in the server response. For example:
< HTTP/1.1 200 OK
< Date: Thu, 03 Oct 2019 11:35:39 GMT
< Set-Cookie: hadoop.auth="u=mapr&p=mapr&t=multiauth&e=1570138539451&s=CpX+tI7sScnnSUZpA1Kdf+7hamM="; Path=/; Domain=.cluster.com; Expires=Thu, 03-Oct-2019 21:35:39 GMT; Secure; HttpOnly
< Content-Security-Policy: default-src https:
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Strict-Transport-Security: max-age=31536000
< Content-Type: application/json
< Transfer-Encoding: chunked
< Server: Jetty(9.4.19.v20190610)

Configuring Security Headers for HiveServer2 Web UI

To enable security headers for the Hiveserver2 Web UI, add the following to the hive-site.xml file, replacing <version> with your Hive version:
<property>
    <name>hive.server2.webui.jetty.response.headers.file</name>
    <value>/opt/mapr/hive/hive-<version>/conf/headers.xml</value>
</property>

Then restart HiveServer2.

Configuring Custom Headers

To configure custom headers for web servers, edit the headers.xml file, and add Custom-header as follows:
<entry key="Custom-header">custom-value</entry>

Security Headers Auto-Configuration

If you install Hive on a secure cluster (MapR SASL or Kerberos) and run the following command after Hive installation, Hive automatically configures itself to enable security headers, and no additional action is needed:
/opt/mapr/server/configure.sh -R