You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Status

Current state[Under Discussion"]

Discussion thread: here [Change the link from the KIP proposal email archive to your own email thread]

JIRA: here [Change the link from KAFKA-1 to your own ticket]

Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).

Motivation

Current Connect REST server only set a few default HTTP response headers, missed many headers, specially most headers relate to security missed. Connect REST server uses embedded Jetty server as Java HTTP server and Java Servlet container, so users have no way to configure HTTP response headers for Connect REST server. Many customers using Connect REST server are demanding some headers relate to security set in HTTP response. Some examples of headers are X-XSS-Protection, Content-Security-Policy, Strict-Transport-Security and X-Content-Type-Options.  

Public Interfaces

There is no any changes on public interfaces. We just add a new configuration property "response.http.headers". The following section has detailed description on this new property.

Proposed Changes

New Property

We will add a new property "response.http.headers" to allow REST server administrator to configure headers based on their security policies. We borrow and take advantage of Jetty HeaderFilter class and use same format of headerConfig init param. The format for response.http.headers will be "[[action] [header]:[header value],..." which is a list of [action] [header]:[value] separated by comma ",". So it is a CSV of actions to perform on headers with the following syntax:
[action] [header name]: [header value],
[action] can be one of "set, add, setDate, or addDate" which specify an action will perform on header. 

  • set action is same as setHeader function in HttpServletResponse, it will set a response header with the given name and value. If the header had already been set, the new value overwrites the previous one.
  • add action is same as addHeader function in HttpServletResponse, it will add a new value to the header. Responses headers could have multiple values.
  • setDate action is same as setDateHeader function in HttpServletResponse. It will set HTTP header need date value. Such as "setDate Expires: 31540000000" which indicates the header will be expired approximately one year in the future.
  • addDate action is same as addDateHeader function in HttpServletResponse.  It will add a response header with the given name and date-value. Such as "addDate Last-Modified: 0" which indicates the Last-Modified date is same as current system date.

[header name] specify name of header.
[header value] specify value for the header. We need put double quotes around the value if the value contains commas due to we use comma as separator for different headers. 

Example of configuration for response.http.headers

response.http.headers=set X-Frame-Options: DENY, "add Cache-Control: no-cache, no-store, must-revalidate", setDate Expires: 31540000000, addDate Last-Modified: 0

Implementation

Implementation will use Jetty HeaderFilter class. During initializing process Connect REST server will read header configuration from the property response.http.headers, then create a FilterHoder with HeaderFilter class and add the filter holder to Servlet context handler

Pseudocode

ServletContextHandler context = new ServletContextHandler(ServletContextHandler.SESSIONS);
String responseHeaders = config.getString("response.http.headers");
FilterHolder headersFilterHolder = new FilterHolder(HeaderFilter.class);
headersFilterHolder.setName("headerConfig");
headersFilterHolder.setInitParameter("headerConfig", responseHeaders);
context.addFilter(headersFilterHolder, "/*", EnumSet.of(DispatcherType.REQUEST));

References
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
https://www.eclipse.org/jetty/documentation/current/header-filter.html
https://www.eclipse.org/jetty/javadoc/9.4.24.v20191120/org/eclipse/jetty/servlets/HeaderFilter.html

Compatibility, Deprecation, and Migration Plan

Since we just add a new property and the default value for new property is empty string, existing use cases and behavior will be unaffected.

Rejected Alternatives

Another implementation would be writing a customized filter extension to intercept and set HTTP response headers. Ultimately the purpose of this KIP will allow users to set HTTP response headers, using this alternative make implementation much complex and doesn't gain any benefits.  




  • No labels