Configuring Security Headers for Web Servers for Oozie

This section describes how to configure response headers for REST API servers used in the Oozie web UI.

IMPORTANT This component is deprecated. Hewlett Packard Enterprise recommends using an alternate product. For more information, see Discontinued Ecosystem Components.

About the Headers File

The XML file with security headers is located at:

/opt/mapr/oozie/oozie-<version>/conf/security-headers.xml

The security-headers.xml file contains the following headers:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE properties SYSTEM 
"http://java.sun.com/dtd/properties.dtd">
<properties>
    <comment>Security headers that is used to minimize the possibility of cross-site scripting and other attacks</comment>
    <entry key="X-XSS-Protection">1; mode=block</entry>
    <entry key="X-Content-Type-Options">nosniff</entry>
    <entry key="Strict-Transport-Security">max-age=31536000;includeSubDomains</entry>
    <entry key="Content-Security-Policy">default-src https:</entry>
</properties>

This table describes each header:

Header	Description	Default Value
X-XSS-Protection	Stops pages from loading when reflected cross-site scripting (XSS) is detected. Supported by IE, Chrome, and Safari.	`1: mode=block`
X-Content-Type-Options	Indicates that the MIME types advertised in the `Content-Type` headers should not be changed and should be followed.	`nosniff`
Strict-Transport-Security	Tells all browsers that the website should only be accessed using HTTPS instead of using HTTP.	`max-age=31536000;includeSubDomains`
Content-Security-Policy	Allows web-site administrators to control resources the user agent is allowed to load for a given page. This helps guard against cross-site scripting attacks (XSS).	`default-src https:`

Configuring Security Headers for Oozie

To enable security headers for Oozie, add the following to the oozie-site.xml file, and replace <version> with your Oozie version:

<property>
<name>oozie.server.response.headers</name>
<value>/opt/mapr/oozie/oozie-<version>/conf/security-headers.xml</value>
</property>

Configuring Custom Headers

To configure custom headers for web servers, edit the headers.xml file, and add Custom-header as follows:

<entry key="Custom-header">custom-value</entry>

Security Headers Auto-Configuration

If you install Oozie on a secure cluster (MapR-SASL or Kerberos) and run the following command after Oozie installation, Oozie automatically configures itself to enable security headers, and no additional action is needed:

/opt/mapr/server/configure.sh -R