[AIRFLOW-6353] security - ui - add click jacking defence (apache#6995)

sekikn · Jan 3, 2020 · e36ecb4 · e36ecb4
1 parent 18e8cea
commit e36ecb4
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 0 deletions.
diff --git a/airflow/config_templates/default_airflow.cfg b/airflow/config_templates/default_airflow.cfg
@@ -371,6 +371,9 @@ cookie_samesite =
 # Default setting for wrap toggle on DAG code and TI log views.
 default_wrap = False
 
+# Allow the UI to be rendered in a frame
+x_frame_enabled = True
+
 # Send anonymous user activity to your analytics tool
 # analytics_tool = # choose from google_analytics, segment, or metarouter
 # analytics_id = XXXXXXXXXXX

diff --git a/airflow/www/app.py b/airflow/www/app.py
@@ -246,6 +246,13 @@ def before_request():
                 flask.session.modified = True
                 flask.g.user = flask_login.current_user
 
+        @app.after_request
+        def apply_caching(response):
+            _x_frame_enabled = conf.getboolean('webserver', 'X_FRAME_ENABLED', fallback=True)
+            if not _x_frame_enabled:
+                response.headers["X-Frame-Options"] = "DENY"
+            return response
+
         @app.teardown_appcontext
         def shutdown_session(exception=None):  # pylint: disable=unused-variable
             settings.Session.remove()

diff --git a/docs/security.rst b/docs/security.rst
@@ -389,6 +389,17 @@ certs and keys.
     ssl_cert = <path to cert>
     ssl_cacert = <path to cacert>
 
+Rendering Airflow UI in a Web Frame from another site
+------------------------------------------------------
+
+Using Airflow in a web frame is enabled by default. To disable this (and prevent click jacking attacks)
+set the below:
+
+.. code-block:: ini
+
+    [webserver]
+    x_frame_enabled = False
+
 Impersonation
 -------------