Fix #10808: Add configuration to enable HSTS, X-Frame-Options, X-Cont… (#10809)

* Fix #10808: Add configuration to enable HSTS, X-Frame-Options, X-Content-Type-Options etc..

* Fix #10808: Add configuration to enable HSTS, X-Frame-Options, X-Content-Type-Options etc..

conf/openmetadata.yaml

@@ -306,6 +306,18 @@ applicationConfig:
     accessBlockTime: ${OM_LOGIN_ACCESS_BLOCK_TIME:-600}
     jwtTokenExpiryTime: ${OM_JWT_EXPIRY_TIME:-3600}
 
-changeEventConfig:
-  omUri: ${OM_URI:- "http://localhost:8585"} #openmetadata in om uri for eg http://loclhost:8585
+
+web:
+  uriPath: /api
+  hsts:
+    enabled: true
+  frame-options:
+    enabled: true
+  content-type-options:
+    enabled: true
+  xss-protection:
+    enabled: true
+
+changeEventConfig:
+  omUri: ${OM_URI:- "http://localhost:8585"} #openmetadata in om uri for eg http://localhost:8585
 

openmetadata-service/pom.xml

@@ -231,6 +231,11 @@
       <version>${awssdk.version}</version>
     </dependency>
 
+    <dependency>
+      <groupId>io.dropwizard.modules</groupId>
+      <artifactId>dropwizard-web</artifactId>
+    </dependency>
+
     <!-- Dependencies for cloudwatch monitoring -->
     <dependency>
       <groupId>software.amazon.awssdk</groupId>

openmetadata-service/src/main/java/org/openmetadata/service/OpenMetadataApplication.java

@@ -29,6 +29,8 @@ import io.dropwizard.lifecycle.Managed;
 import io.dropwizard.server.DefaultServerFactory;
 import io.dropwizard.setup.Bootstrap;
 import io.dropwizard.setup.Environment;
+import io.dropwizard.web.WebBundle;
+import io.dropwizard.web.conf.WebConfiguration;
 import io.federecio.dropwizard.swagger.SwaggerBundle;
 import io.federecio.dropwizard.swagger.SwaggerBundleConfiguration;
 import io.socket.engineio.server.EngineIoServerOptions;
@@ -274,6 +276,13 @@ public class OpenMetadataApplication extends Application<OpenMetadataApplication
           }
         });
     bootstrap.addBundle(MicrometerBundleSingleton.getInstance());
+    bootstrap.addBundle(
+        new WebBundle<>() {
+          @Override
+          public WebConfiguration getWebConfiguration(final OpenMetadataApplicationConfig configuration) {
+            return configuration.getWebConfiguration();
+          }
+        });
     super.initialize(bootstrap);
   }
 

openmetadata-service/src/main/java/org/openmetadata/service/OpenMetadataApplicationConfig.java

@@ -17,6 +17,7 @@ import com.fasterxml.jackson.annotation.JsonProperty;
 import io.dropwizard.Configuration;
 import io.dropwizard.db.DataSourceFactory;
 import io.dropwizard.health.conf.HealthConfiguration;
+import io.dropwizard.web.conf.WebConfiguration;
 import io.federecio.dropwizard.swagger.SwaggerBundleConfiguration;
 import javax.validation.Valid;
 import javax.validation.constraints.NotNull;
@@ -96,6 +97,11 @@ public class OpenMetadataApplicationConfig extends Configuration {
   @JsonProperty("email")
   private SmtpSettings smtpSettings;
 
+  @Valid
+  @NotNull
+  @JsonProperty("web")
+  private WebConfiguration webConfiguration = new WebConfiguration();
+
   @JsonProperty("changeEventConfig")
   private ChangeEventConfiguration changeEventConfiguration;
 

pom.xml

@@ -148,6 +148,7 @@
     <dropwizardkafka.version>1.8.0</dropwizardkafka.version>
     <maven-release-plugin.version>2.5.3</maven-release-plugin.version>
     <unboundsdk.version>6.0.7</unboundsdk.version>
+    <dropwizard-web.version>1.5.1</dropwizard-web.version>
   </properties>
   <dependencyManagement>
     <dependencies>
@@ -232,6 +233,11 @@
         <artifactId>jdbi3-core</artifactId>
         <version>${jdbi3.version}</version>
       </dependency>
+      <dependency>
+        <groupId>io.dropwizard.modules</groupId>
+        <artifactId>dropwizard-web</artifactId>
+        <version>${dropwizard-web.version}</version>
+      </dependency>
       <dependency>
         <groupId>commons-cli</groupId>
         <artifactId>commons-cli</artifactId>