Configuring HTTP Headers for Cloudera AI
This topic provides guidence on customizing the HTTP headers that are accepted by Cloudera AI.
Required Role: Site Administrator
These properties are available under .
Enable Cross-Origin Resource Sharing (CORS)
Most modern browsers enforce the Same-Origin Policy, which restricts how a document or a script from one origin can
interact with a resource from another origin. When the Enable cross-origin resource
sharing property is enabled on Cloudera AI, web servers add
the Access-Control-Allow-Origin: * HTTP header to their HTTP responses,
allowing web applications from different domains to access the Cloudera AI API through browsers.
This property is disabled by default.
If this property is disabled, web applications from different domains will not be able to programmatically communicate with the Cloudera AI API through browsers.
Enable HTTP security headers
- X-XSS-Protection
- X-DNS-Prefetch-Control
- X-Frame-Options
- X-Download-Options
- X-Content-Type-Options
This property is enabled by default.
Disabling this property might expose your Cloudera AI deployment to vulnerabilities, such as clickjacking, cross-site scripting (XSS), or other injection attacks.
Enable HTTP Strict Transport Security (HSTS)
When both the TLS/SSL and the Enable HTTP Strict Transport Security (HSTS) property are enabled, Cloudera AI instructs your browser not to load sites using HTTP. Additionally, all attempts to access Cloudera AI using HTTP will automatically be converted to HTTPS.
This property is disabled by default.
- Deactivate the Enable HTTP Strict Transport Security (HSTS) checkbox to disable HSTS and restart Cloudera AI.
- Load the Cloudera AI web application in each browser to clear the respective browser's HSTS setting.
- Disable TLS/SSL across the cluster.
