Uploaded image for project: 'Marathon'
  1. Marathon
  2. MARATHON-8405

Prevent cross site scripting and click jacking

    Details

    • Type: Task
    • Status: Resolved
    • Priority: Medium
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: DC/OS 1.12.0
    • Component/s: Security
    • Labels:
      None
    • Sprint:
      Marathon 2018-27
    • Story Points:
      1

      Description

      Cross site scripting and click jacking are major concerns. Many issues can be resolved by setting some headers in the HTTP responses for the user interface and rest responses for both the master and slave processes.

      X-Frame-Options: Can be set to deny, sameorigin, or allow-from <uri>
      X-XSS-Protection: 1; mode=block

      These would go a long way to making sites using marathon more secure. Note that the user exploiting attacks does not need to have access to the marathon hosts, they are attacked through a user's web browser. So if the user can connect to both marathon and the internet, it is an issue.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                ken Ken Sipe
                Reporter:
                GitHub_dlaidlaw Don Laidlaw (Inactive)
                Team:
                Orchestration Team
                Watchers:
                Amr Abdelrazik, andersenleo, Dominik Dary, Jan-Philip Gehrcke, Ken Sipe, Matthias Eichstedt, Orlando Hohmeier, Somik Behera, Vic Parker (Inactive)
              • Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: