Securing Hue from CWE-16

Hue may have allowed external domains such as,, or * to run JavaScript scripts, for certain URLs in the Content Security Policy (CSP) headers. This may lead to Common Weakness Enumeration (CWE-16). To secure Hue from CWE-16 class of weaknesses, you can add the X-Content-Type-Options response HTTP header and prevent attacks based on MIME-type confusions in Hue’s Advanced Configuration Snippet using Cloudera Manager.

  1. Log in to Cloudera Manager as an Administrator.
  2. Go to Clusters > Hue > Configuration and add the following lines in the Hue Service Advanced Configuration Snippet (Safety Valve) for field:
    # X-Content-Type-Options: nosniff This is an HTTP response header
    # feature that helps prevent attacks based on MIME-type confusion.
    secure_content_security_policy="script-src 'self' 'unsafe-inline' 'unsafe-eval' * * data:;img-src 'self' * http://* * * data:;style-src 'self' 'unsafe-inline';connect-src 'self' *;frame-src *;child-src 'self' data: *;object-src 'none'"
  3. Click Save Changes.
  4. Restart the Hue service.