Configuring Security Headers for Web Servers for Oozie
This section describes how to configure response headers for REST API servers used in the Oozie web UI.
IMPORTANT This component is deprecated. Hewlett Packard
Enterprise recommends using an alternate product. For more information, see Discontinued Ecosystem Components.
About the Headers File
The XML file with security headers is located
at:
/opt/mapr/oozie/oozie-<version>/conf/security-headers.xml
The
security-headers.xml
file contains the following
headers:<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE properties SYSTEM
"http://java.sun.com/dtd/properties.dtd">
<properties>
<comment>Security headers that is used to minimize the possibility of cross-site scripting and other attacks</comment>
<entry key="X-XSS-Protection">1; mode=block</entry>
<entry key="X-Content-Type-Options">nosniff</entry>
<entry key="Strict-Transport-Security">max-age=31536000;includeSubDomains</entry>
<entry key="Content-Security-Policy">default-src https:</entry>
</properties>
This table describes each header:
Header | Description | Default Value |
---|---|---|
X-XSS-Protection | Stops pages from loading when reflected cross-site scripting (XSS) is detected. Supported by IE, Chrome, and Safari. | 1: mode=block |
X-Content-Type-Options | Indicates that the MIME types advertised in the Content-Type
headers should not be changed and should be followed. |
nosniff |
Strict-Transport-Security | Tells all browsers that the website should only be accessed using HTTPS instead of using HTTP. | max-age=31536000;includeSubDomains |
Content-Security-Policy | Allows web-site administrators to control resources the user agent is allowed to load for a given page. This helps guard against cross-site scripting attacks (XSS). | default-src https: |
Configuring Security Headers for Oozie
To enable security headers for Oozie, add the following to the
oozie-site.xml
file, and replace <version>
with your
Oozie
version:<property>
<name>oozie.server.response.headers</name>
<value>/opt/mapr/oozie/oozie-<version>/conf/security-headers.xml</value>
</property>
Configuring Custom Headers
To configure custom headers for web servers, edit the
headers.xml
file,
and add Custom-header
as
follows:<entry key="Custom-header">custom-value</entry>
Security Headers Auto-Configuration
If you install Oozie on a secure cluster (MapR-SASL or Kerberos) and run the following command after
Oozie installation, Oozie automatically configures itself to enable security headers, and no
additional action is needed:
/opt/mapr/server/configure.sh -R