Configuring Security Headers for Web Servers for Oozie

This section describes how to configure response headers for REST API servers used in the Oozie web UI.

About the Headers File

The XML file with security headers is located at:
/opt/mapr/oozie/oozie-<version>/conf/security-headers.xml
The security-headers.xml file contains the following headers:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE properties SYSTEM 
"http://java.sun.com/dtd/properties.dtd">
<properties>
    <comment>Security headers that is used to minimize the possibility of cross-site scripting and other attacks</comment>
    <entry key="X-XSS-Protection">1; mode=block</entry>
    <entry key="X-Content-Type-Options">nosniff</entry>
    <entry key="Strict-Transport-Security">max-age=31536000;includeSubDomains</entry>
    <entry key="Content-Security-Policy">default-src https:</entry>
</properties>

This table describes each header:

Header Description Default Value
X-XSS-Protection Stops pages from loading when reflected cross-site scripting (XSS) is detected. Supported by IE, Chrome, and Safari. 1: mode=block
X-Content-Type-Options Indicates that the MIME types advertised in the Content-Type headers should not be changed and should be followed. nosniff
Strict-Transport-Security Tells all browsers that the website should only be accessed using HTTPS instead of using HTTP. max-age=31536000;includeSubDomains
Content-Security-Policy Allows web-site administrators to control resources the user agent is allowed to load for a given page. This helps guard against cross-site scripting attacks (XSS). default-src https:

Configuring Security Headers for Oozie

To enable security headers for Oozie, add the following to the oozie-site.xml file, and replace <version> with your Oozie version:
<property>
<name>oozie.server.response.headers</name>
<value>/opt/mapr/oozie/oozie-<version>/conf/security-headers.xml</value>
</property>

Configuring Custom Headers

To configure custom headers for web servers, edit the headers.xml file, and add Custom-header as follows:
<entry key="Custom-header">custom-value</entry>

Security Headers Auto-Configuration

If you install Oozie on a secure cluster (MapR SASL or Kerberos) and run the following command after Oozie installation, Oozie automatically configures itself to enable security headers, and no additional action is needed:
/opt/mapr/server/configure.sh -R