What I'm saying is that CORS is not a vulnerability once you have authentication in place. Cors works only if client respects it. Use a standalone program like curl or postman or a custom client or even chrome with security off ( https://stackoverflow.com/questions/17679399/does-disable-web-security-work-in-chrome-anymore/36939693) and you can make a request to any server no matter what it's CORS response is. The way to harden your server is not to have any public operations without athentication. Cors can be ignored. It's a false vulnerability. This forum is not the right forum for more discussion on this. Can read up on what CORs is and how good auth can protect you.
If you just want to harden your server a CORS java filter can do the trick from GitHub with your config. Placed in the root web app so it adds cors headers to all traffic. On Thu, 13 Dec, 2018, 13:26 Bicky Ealias <bickyeal...@gmail.com wrote: > It's authenticated with LDAP. Am talking about Cross Origin Resource > Sharing issue. > For which there are configuration recommended to harden the https headers. > > https://issues.apache.org/jira/plugins/servlet/mobile#issue/ZEPPELIN-245 > > I have followed the steps here > https://zeppelin.apache.org/docs/0.7.3/security/http_security_headers.html > but that does t seem to fix the vulnerability. > > On Thu., 13 Dec. 2018, 5:13 pm Tushar Kapila <tgkp...@gmail.com wrote: > >> If it is exposed and you don't want unauthorized users to read or write >> you need to add authentication. Apache Shirio or make zeplin port private >> (behind firewall) and proxy all requests thru a server that has the >> authentication you want. >> >> >> >> On Thu, 13 Dec, 2018, 11:12 Tushar Kapila <tgkp...@gmail.com wrote: >> >>> Is your zeplin exposed to the internet? If not don't see why this should >>> be an issue if it's behind the firewall? >>> >>> On Wed, 12 Dec, 2018, 03:57 Bicky Ealias <bickyeal...@gmail.com wrote: >>> >>>> Checking again.. Has anyone got a chance to fix CORS issue on Zeppelin? >>>> >>>> On Wed., 5 Dec. 2018, 5:55 pm Bicky Ealias <bickyeal...@gmail.com >>>> wrote: >>>> >>>>> Hello users, >>>>> Has anyone succeeded in hardening Zeppelin against CORS vulnerability? >>>>> ---------- Forwarded message --------- >>>>> >>>>> *From: *Jeff Zhang <zjf...@gmail.com> >>>>> *Date: *Tuesday, 4 December 2018 at 5:05 pm >>>>> *To: *"Ealias, Bicky" <bicky.eal...@cba.com.au> >>>>> *Subject: *Re: CORS policy in Zeppelin >>>>> >>>>> >>>>> >>>>> Sorry,I don't know about this, could you ask this in zeppelin user >>>>> mail list ? >>>>> >>>>> >>>>> >>>>> Ealias, Bicky <bicky.eal...@cba.com.au> 于2018年12月4日周二 上午10:55写道: >>>>> >>>>> Hi Jeff, >>>>> >>>>> Hope you are doing well. >>>>> >>>>> Recently we had penetration testing done on zeppelin,and one >>>>> vulnerability that came forward is issue with Zeppelin’s HTML2 CORS >>>>> policy, >>>>> >>>>> We are on version 0.8.0.I added these configurations as per the >>>>> documentation: >>>>> >>>>> >>>>> >>>>> >>>>> https://zeppelin.apache.org/docs/0.8.0/setup/security/http_security_headers.html >>>>> But still that doesn’t seem to fix the issue. >>>>> >>>>> https://issues.apache.org/jira/browse/ZEPPELIN-245 I see this ticket >>>>> but the comment says its fixed in 0.6.0 already. >>>>> >>>>> ..Are there some other settings I can change? >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> *CommonwealthBank* >>>>> >>>>> [image: cid:image001.png@01D40715.7FFFB880] >>>>> >>>>> Bicky Eailas >>>>> Analytics & Information >>>>> Level 17, 255 Pitt St, Sydney NSW 2000 >>>>> M: 0406949642 >>>>> E: bicky.eal...@cba.com.au >>>>> >>>>> *Our vision…To excel at securing and enhancing the **financial >>>>> wellbeing** of people, businesses and communities.* >>>>> >>>>> >>>>> >>>>> [image: cid:image003.png@01D40715.A8C27190] >>>>> >>>>> >>>>> >>>>> ************** IMPORTANT MESSAGE ***************************** >>>>> This e-mail message is intended only for the addressee(s) and contains >>>>> information which may be >>>>> confidential. >>>>> If you are not the intended recipient please advise the sender by >>>>> return email, do not use or >>>>> disclose the contents, and delete the message and any attachments from >>>>> your system. Unless >>>>> specifically indicated, this email does not constitute formal advice >>>>> or commitment by the sender >>>>> or the Commonwealth Bank of Australia (ABN 48 123 123 124 AFSL and >>>>> Australian credit licence 234945) >>>>> or its subsidiaries. >>>>> We can be contacted through our web site: commbank.com.au. >>>>> If you no longer wish to receive commercial electronic messages from >>>>> us, please reply to this >>>>> e-mail by typing Unsubscribe in the subject line. >>>>> ************************************************************** >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> Best Regards >>>>> >>>>> Jeff Zhang >>>>> >>>>> ************** IMPORTANT MESSAGE ***************************** >>>>> This e-mail message is intended only for the addressee(s) and contains >>>>> information which may be >>>>> confidential. >>>>> If you are not the intended recipient please advise the sender by >>>>> return email, do not use or >>>>> disclose the contents, and delete the message and any attachments from >>>>> your system. Unless >>>>> specifically indicated, this email does not constitute formal advice >>>>> or commitment by the sender >>>>> or the Commonwealth Bank of Australia (ABN 48 123 123 124 AFSL and >>>>> Australian credit licence 234945) >>>>> or its subsidiaries. >>>>> We can be contacted through our web site: commbank.com.au. >>>>> If you no longer wish to receive commercial electronic messages from >>>>> us, please reply to this >>>>> e-mail by typing Unsubscribe in the subject line. >>>>> ************************************************************** >>>>> >>>>
