Table of Contents |
---|
Status
Current state: [Under Discussion"]
...
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
Motivation
Current Connect REST server only set a few default HTTP response headers, missed many headers, specially most headers relate to security missed. Connect REST server uses embedded Jetty server as Java HTTP server and Java Servlet container, so users have no way to configure HTTP response headers for Connect REST server. Many customers using Connect REST server are demanding some headers relate to security set in HTTP response. Some examples of headers are X-XSS-Protection, Content-Security-Policy, Strict-Transport-Security and X-Content-Type-Options.
Public Interfaces
There is no any changes on public interfaces. We just add a new configuration property "response.http.headers". The following section has detailed description on this new property.
Proposed Changes
New Property
We will add a new property "response.http.headers" to allow REST server administrator to configure headers based on their security policies. We borrow and take advantage of Jetty HeaderFilter class and use same format of headerConfig init param. The format for response.http.headers will be "[[action] [header]:[header value],..." which is a list of [action] [header]:[value] separated by comma ",". So it is a CSV of actions to perform on headers with the following syntax:
[action] [header name]: [header value],
[action] can be one of "set, add, setDate, or addDate" which specify an action will perform on header.
...
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
https://www.eclipse.org/jetty/documentation/current/header-filter.html
https://www.eclipse.org/jetty/javadoc/9.4.24.v20191120/org/eclipse/jetty/servlets/HeaderFilter.html
Compatibility, Deprecation, and Migration Plan
Since we just add a new property and the default value for new property is empty string, existing use cases and behavior will be unaffected.
Rejected Alternatives
Another implementation would be writing a customized filter extension to intercept and set HTTP response headers. Ultimately the purpose of this KIP will allow users to set HTTP response headers, using this alternative make implementation much complex and doesn't gain any benefits.
...