Versions Compared

Old Version 4

changes.mady.by.user Jeff Huang

Saved on

compared with

New Version 5

changes.mady.by.user Jeff Huang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Status

Current state[Under Discussion"]

...

Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).

Motivation

Current Connect REST server only set a few default HTTP response headers, missed many headers, specially most headers relate to security missed. Connect REST server uses embedded Jetty server as Java HTTP server and Java Servlet container, so users have no way to configure HTTP response headers for Connect REST server. Many customers using Connect REST server are demanding some headers relate to security set in HTTP response. Some examples of headers are X-XSS-Protection, Content-Security-Policy, Strict-Transport-Security and X-Content-Type-Options.  

Public Interfaces

There is no any changes on public interfaces. We just add a new configuration property "response.http.headers". The following section has detailed description on this new property.

Proposed Changes

New Property

We will add a new property "response.http.headers" to allow REST server administrator to configure headers based on their security policies. We borrow and take advantage of Jetty HeaderFilter class and use same format of headerConfig init param. The format for response.http.headers will be "[[action] [header]:[header value],..." which is a list of [action] [header]:[value] separated by comma ",". So it is a CSV of actions to perform on headers with the following syntax:
[action] [header name]: [header value],
[action] can be one of "set, add, setDate, or addDate" which specify an action will perform on header. 

...

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
https://www.eclipse.org/jetty/documentation/current/header-filter.html
https://www.eclipse.org/jetty/javadoc/9.4.24.v20191120/org/eclipse/jetty/servlets/HeaderFilter.html

Compatibility, Deprecation, and Migration Plan

Since we just add a new property and the default value for new property is empty string, existing use cases and behavior will be unaffected.

Rejected Alternatives

Another implementation would be writing a customized filter extension to intercept and set HTTP response headers. Ultimately the purpose of this KIP will allow users to set HTTP response headers, using this alternative make implementation much complex and doesn't gain any benefits.  

...