Securing Hue from CWE-16

Hue may have allowed external domains such as doubleclick.net, .googletagmanager.com, or *.google-analytics.com to run JavaScript scripts, for certain URLs in the Content Security Policy (CSP) headers. This may lead to Common Weakness Enumeration (CWE-16). To secure Hue from CWE-16 class of weaknesses, you can add the X-Content-Type-Options response HTTP header and prevent attacks based on MIME-type confusions in Hue’s Advanced Configuration Snippet using Cloudera Manager.

Go to Clusters > Hue > Configuration and add the following lines in the Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.in field:

[desktop]
# X-Content-Type-Options: nosniff This is an HTTP response header
# feature that helps prevent attacks based on MIME-type confusion.

secure_content_security_policy="script-src 'self' 'unsafe-inline' 'unsafe-eval' *.googletagmanager.com *.doubleclick.net data:;img-src 'self' *.doubleclick.net http://*.tile.osm.org *.tile.osm.org *.gstatic.com data:;style-src 'self' 'unsafe-inline' fonts.googleapis.com;connect-src 'self' *.google-analytics.com;frame-src *;child-src 'self' data: *.vimeo.com;object-src 'none'"

Click Save Changes.
Restart the Hue service.