...
The current Connect REST server only sets a few default HTTP response headers. It's missing many headers, including most headers related to security. The Connect REST server uses an embedded Jetty server as the Java HTTP server and Java Servlet container, so users have no way to configure HTTP response headers for Connect REST server. Many customers using Connect REST server are demanding some headers related to security in the HTTP response. Some examples of headers are X-XSS-Protection
, Content-Security-Policy
, Strict-Transport-Security
and X-Content-Type-Options
. Some resources need more protected protection than others due to security required. So we will allow site administrators to control which resources the user agent is allowed or is not allowed to load for given page. For this case, the sensitive resources need use Content-Security-Policy in response header. Some resources can only be accessed by HTTPS instead of HTTP, then Strict-Transport-Security response header (often abbreviated as HSTS) need needs be set to let a web site tell browsers that it should only be accessed using HTTPS. So that is why we provide feature to support configuring different headers for different resources.
Public Interfaces
There is are no any changes on to existing public interfaces, but we will add new configuration options. We follow same pattern like configuring different kafka Kafka listeners. We define a new property response.http.headers which define how many headers will defines the names of the header filters that will be configured. The default value for response.http.headers is empty string which mean means there is are no any header filters configured for HTTP response. We define a new prefix "response.http.headers.{name}.", then followed by a set of properties which define rules for header. The {name} will be one defined in response.http.headers. The following section has detailed description.
...
Property Name | Type | Default | Importance | Description | Example for Value |
---|---|---|---|---|---|
response.http.headers | LIST | "" | medium | Defines names of headers header filters which will be separated by comma. | default, connector1, connector2 |
response.http.headers.{name}.header.config | STRING | "" | low | Define a set of HTTP headers for the header filter defined by {name} which will be one of names defined in property response.http.headers. | set X-Frame-Options: DENY, "add Cache-Control: no-cache, no-store, must-revalidate", setDate Expires: 31540000000, addDate Last-Modified: 0 |
response.http.headers.{name}.included.paths | STRING | "" | low | It is a comma separated values of included path specs applied to HTTP headers. |
|
response.http.headers.{name}.excluded.paths | STRING | "" | low | It is a comma separated values of excluded path specs applied to HTTP headers. | /connectors/connector1/status |
response.http.headers.{name}.included.mime.types | STRING | "" | low | It is a comma separated values of included mime types applied to HTTP headers | application/json |
response.http.headers.{name}.excluded.mime.types | STRING | "" | low | It is a comma separated values of excluded mime types applied to HTTP headers. | application/xml |
response.http.headers.{name}.included.http.methods | STRING | "" | low | It is a comma separated values of included http methods applied to HTTP headers Validate ValuesValid Values: see https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods | POST,PUT |
response.http.headers.{name}.excluded.http.methods | STRING | "" | low | It is a comma separated values of excluded http methods applied to HTTP headers Validate ValuesValid Values: see https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods | GET |
Detailed Explanation for responsefor response.http.headers.{name}.header.config
The format will be "[[action] [header]:[header value],..." which is a list of [action] [header]:[value] separated by comma ",". So it is a CSV of actions to perform on headers with the following syntax:
[action] [header name]: [header value],
[action] can be one of "set, add, setDate, or addDate" which specify an action will to perform on the header.
set
action is the same as thesetHeader
function inHttpServletResponse
, it will set a response header with the given name and value. If the header had already been set, the new value overwrites the previous one.add
action is the same as theaddHeader
function inHttpServletResponse
, it will add a new value to the header. Responses headers could Response headers can have multiple values.setDate
action is the same as thesetDateHeader
function inHttpServletResponse
. It will set a HTTP header with a date value. Such as "setDate Expires: 31540000000
" which indicates the header will be expired approximately one year in the future.addDate
action is the same as theaddDateHeader
function inHttpServletResponse
. It will add a response header with the given name and date-value. Such as "addDate Last-Modified: 0
" which indicates the Last-Modified date is same as current system date.
...
Implementation will use the Jetty HeaderFilter class. We need to update org.apache.kafka.connect.runtime.rest.RestServer class. During initialization process, the Connect REST server will check property response.http.headers. If the value of response.http.headers is not empty, then REST server will read all headers configurations from the property with properties with prefix response.http.headers.{name}, and create a list of FilterHolder with HeaderFilter class and add the list of filter holders to the Servlet context handler based on the name of the header. Implementation is similar to how we handle the header access.control.allow.origin in the Connect REST server.
...