Configuring Security Headers for Web Servers

About the Headers File

The XML file with security headers is located at:

/opt/mapr/hive/hive-<version>/conf/headres.xml

The headres.xml file contains the following headers:

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
<properties>
  <entry key="X-Content-Type-Options">nosniff</entry>
  <entry key="X-XSS-Protection">1; mode=block</entry>
  <entry key="Strict-Transport-Security">max-age=31536000; includeSubDomains</entry>
  <entry key="Content-Security-Policy">default-src https:</entry>
</properties>

This table describes each header:

Header	Description	Default Value
X-XSS-Protection	Stops pages from loading when reflected cross-site scripting (XSS) is detected. Supported by IE, Chrome, and Safari.	`1: mode=block`
X-Content-Type-Options	Indicates that the MIME types advertised in the `Content-Type` headers should not be changed and should be followed.	`nosniff`
Strict-Transport-Security	Tells all browsers that the website should only be accessed using HTTPS instead of using HTTP.	`max-age=31536000;includeSubDomains`
Content-Security-Policy	Allows web-site administrators to control resources the user agent is allowed to load for a given page. This helps guard against cross-site scripting attacks (XSS).	`default-src https:`

Configuring Security Headers for WebHCat

To enable security headers for WebHCat, add the following to the webhcat-site.xml file, and replace <version> with your Hive version:

<property>
<name>templeton.jetty.response.headers.file</name>
<value>/opt/mapr/hive/hive-<version>/conf/headers.xml</value>
</property>

After configuring and restarting WebHCat, you should see security headers in the server response. For example:

< HTTP/1.1 200 OK
< Date: Thu, 03 Oct 2019 11:35:39 GMT
< Set-Cookie: hadoop.auth="u=mapr&p=mapr&t=multiauth&e=1570138539451&s=CpX+tI7sScnnSUZpA1Kdf+7hamM="; Path=/; Domain=.cluster.com; Expires=Thu, 03-Oct-2019 21:35:39 GMT; Secure; HttpOnly
< Content-Security-Policy: default-src https:
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Strict-Transport-Security: max-age=31536000
< Content-Type: application/json
< Transfer-Encoding: chunked
< Server: Jetty(9.4.19.v20190610)

Configuring Security Headers for HiveServer2 Web UI

To enable security headers for the Hiveserver2 Web UI, add the following to the hive-site.xml file, replacing <version> with your Hive version:

<property>
    <name>hive.server2.webui.jetty.response.headers.file</name>
    <value>/opt/mapr/hive/hive-<version>/conf/headers.xml</value>
</property>

Then restart HiveServer2.

Configuring Custom Headers

To configure custom headers for web servers, edit the headers.xml file, and add Custom-header as follows:

<entry key="Custom-header">custom-value</entry>

Security Headers Auto-Configuration

If you install Hive on a secure cluster (MapR SASL or Kerberos) and run the following command after Hive installation, Hive automatically configures itself to enable security headers, and no additional action is needed:

/opt/mapr/server/configure.sh -R

HPE Ezmeral Data Fabric – Customer-Managed 7.9.0 Documentation
Abstract	This site contains documentation for the customer-managed platform of the HPE Ezmeral Data Fabric version 7.9.0 including installation, configuration, administration, and reference content, as well as content for the associated bundled ecosystem components and drivers.
Published	November 2024
Edition	7.9.0