Configuring Security Headers for Web Servers
This section describes how to configure response headers for REST API servers used in Hive WebHCat and the HiveServer2 web UI.
About the Headers File
The XML file with security headers is located
at:
/opt/mapr/hive/hive-<version>/conf/headres.xml
The
headres.xml
file contains the following
headers:<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
<properties>
<entry key="X-Content-Type-Options">nosniff</entry>
<entry key="X-XSS-Protection">1; mode=block</entry>
<entry key="Strict-Transport-Security">max-age=31536000; includeSubDomains</entry>
<entry key="Content-Security-Policy">default-src https:</entry>
</properties>
This table describes each header:
Header | Description | Default Value |
---|---|---|
X-XSS-Protection | Stops pages from loading when reflected cross-site scripting (XSS) is detected. Supported by IE, Chrome, and Safari. | 1: mode=block |
X-Content-Type-Options | Indicates that the MIME types advertised in the Content-Type
headers should not be changed and should be followed. |
nosniff |
Strict-Transport-Security | Tells all browsers that the website should only be accessed using HTTPS instead of using HTTP. | max-age=31536000;includeSubDomains |
Content-Security-Policy | Allows web-site administrators to control resources the user agent is allowed to load for a given page. This helps guard against cross-site scripting attacks (XSS). | default-src https: |
Configuring Security Headers for WebHCat
To enable security headers for WebHCat, add the following to the
webhcat-site.xml
file, and replace <version>
with
your Hive
version:<property>
<name>templeton.jetty.response.headers.file</name>
<value>/opt/mapr/hive/hive-<version>/conf/headers.xml</value>
</property>
After configuring and restarting WebHCat, you should see security headers in the server
response. For
example:
< HTTP/1.1 200 OK
< Date: Thu, 03 Oct 2019 11:35:39 GMT
< Set-Cookie: hadoop.auth="u=mapr&p=mapr&t=multiauth&e=1570138539451&s=CpX+tI7sScnnSUZpA1Kdf+7hamM="; Path=/; Domain=.cluster.com; Expires=Thu, 03-Oct-2019 21:35:39 GMT; Secure; HttpOnly
< Content-Security-Policy: default-src https:
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Strict-Transport-Security: max-age=31536000
< Content-Type: application/json
< Transfer-Encoding: chunked
< Server: Jetty(9.4.19.v20190610)
Configuring Security Headers for HiveServer2 Web UI
To enable security headers for the Hiveserver2 Web UI, add the following to the
hive-site.xml
file, replacing <version>
with your
Hive
version:<property>
<name>hive.server2.webui.jetty.response.headers.file</name>
<value>/opt/mapr/hive/hive-<version>/conf/headers.xml</value>
</property>
Then restart HiveServer2.
Configuring Custom Headers
To configure custom headers for web servers, edit the
headers.xml
file,
and add Custom-header
as
follows:<entry key="Custom-header">custom-value</entry>
Security Headers Auto-Configuration
If you install Hive on a secure cluster (MapR SASL or Kerberos) and run the following
command after Hive installation, Hive automatically configures itself to enable security
headers, and no additional action is
needed:
/opt/mapr/server/configure.sh -R