- HTTP Strict Transport Security (HSTS) instructs web browsers to only use secure connections (for all future requests when communicating with a web site. Doing so helps prevent SSL protocol attacks, SSL stripping, cookie hijacking, and other attempts to circumvent SSL protection.
- HTTP Strict Transport Security (HSTS) must be enabled. HTTP Strict Transport Security (HSTS) instructs web browsers to only use secure connections for all future requests when communicating with a website. Doing so helps prevent SSL protocol attacks. V-222960: Low: Documentation must be removed.
- HSTS configuration for Apache and Nginx HTTP Strict Transport Security (or HSTS) is a security capability to force web clients using HTTPS. The idea behind HSTS is that clients which always should communicate as safely as possible. At achieve this, the web server and web browser will prefer the HTTPS protocol instead of HTTP.
- HTTP Strict Transport Security prevents this attack on the server-side by refusing to communicate over HTTP. When you type “ myonlinebank.com ” the response isn’t a redirect to “ ”, instead it is a blanket response “This server does not communicate over HTTP, resend over HTTPS” embedded in the header.
- Apache - Configure Http Strict Transport Security
- Apache Http Server Strict-transport-security
- Http Strict Transport Security 設定 Apache
- Http Strict Transport Security Apache 2.4
- Http Strict Transport Security Hsts Apache
Apache Zeppelin also has configuration available to set the Application Server Version to desired value. Setting up HTTP Strict Transport Security (HSTS) Response Header Enabling HSTS Response Header prevents Man-in-the-middle attacks by automatically redirecting HTTP requests to HTTPS when Zeppelin Server is running on SSL.
Apache Zeppelin can be configured to include HTTP Headers which aids in preventing Cross Site Scripting (XSS), Cross-Frame Scripting (XFS) and also enforces HTTP Strict Transport Security. Apache Zeppelin also has configuration available to set the Application Server Version to desired value.
Setting up HTTP Strict Transport Security (HSTS) Response Header
Enabling HSTS Response Header prevents Man-in-the-middle attacks by automatically redirecting HTTP requests to HTTPS when Zeppelin Server is running on SSL. Read on how to configure SSL for Zeppelin here. Even if web page contains any resource which gets served over HTTP or any HTTP links, it will automatically be redirected to HTTPS for the target domain. It also prevents MITM attack by not allowing User to override the invalid certificate message, when Attacker presents invalid SSL certificate to the User.
The following property needs to be updated in the zeppelin-site.xml in order to enable HSTS. You can choose appropriate value for 'max-age'.
Possible values are:
Apache - Configure Http Strict Transport Security
- max-age=<expire-time>
- max-age=<expire-time>; includeSubDomains
- max-age=<expire-time>; preload
Read more about HSTS here.
Setting up X-XSS-PROTECTION Header
The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari Web browsers that initiates configured action when they detect reflected cross-site scripting (XSS) attacks.
The following property needs to be updated in the zeppelin-site.xml in order to set X-XSS-PROTECTION header.
You can choose appropriate value from below.
Apache Http Server Strict-transport-security
- 0 (Disables XSS filtering)
- 1 (Enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page.)
- 1; mode=block (Enables XSS filtering. The browser will prevent rendering of the page if an attack is detected.)
Read more about HTTP X-XSS-Protection response header here.
Setting up X-Frame-Options Header
The X-Frame-Options HTTP response header can indicate browser to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites in a <frame>,<iframe> or <object>.
The following property needs to be updated in the zeppelin-site.xml in order to set X-Frame-Options header.
Http Strict Transport Security 設定 Apache
You can choose appropriate value from below.
Http Strict Transport Security Apache 2.4
DENYSAMEORIGINALLOW-FROM uri
Setting up Server Header
Security conscious organisations does not want to reveal the Application Server name and version to prevent finding this information easily by Attacker while fingerprinting the Application. The exact version number can tell an Attacker if the current Application Server is patched for or vulnerable to certain publicly known CVE associated to it.
Http Strict Transport Security Hsts Apache
The following property needs to be updated in the zeppelin-site.xml in order to set Server header.
The value can be any 'String'.