[keycloak-dev] security headers/realm attributes

Stian Thorgersen stian at redhat.com
Tue Aug 12 04:50:36 EDT 2014



----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Monday, 11 August, 2014 4:50:41 PM
> Subject: Re: [keycloak-dev] security headers/realm attributes
> 
> 
> 
> On 8/11/2014 11:33 AM, Stian Thorgersen wrote:
> >
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: keycloak-dev at lists.jboss.org
> >> Sent: Monday, 11 August, 2014 4:19:26 PM
> >> Subject: [keycloak-dev] security headers/realm attributes
> >>
> >> I'm going to add realm attributes to JPA model and move some stuff there
> >> (brute force settings for example)
> >>
> >> Also, I'm going to add a new menu item "Attack Prevention"  (if you can
> >> think of a better name, let me know).  Under this I'll move "Brute Force
> >> Protection".  Eventually we'll probably put IP Filtering there.  Also,
> >> will add a "Security Headers".  Under this will allow you to manually
> >> set these headers:
> >
> > "Intrusion prevention"?
> >
> > BTW the number of tabs on realm settings makes it span multiple rows if
> > social is enabled
> >
> 
> I didn't see this problem on Firefox unless you seriously minimized your
> browser screen.  I added more submenus because the Settings page was
> scrolling off the page and you might not know some things exist.
> 
> I can break out roles/default roles into a new menu item?

I like the split, there was to much crud on one screen before. It happens when I enable the social tab and it looks like there's not much that cases it to happen, so may be some issue with fonts on Windows vs Linux. Changing 'Cache Config' to just 'Cache' would work as well. 

> 
> >>
> >> https://www.owasp.org/index.php/List_of_useful_HTTP_headers
> >>
> >> By default, iframe will use a same origin policy.
> >>
> >> Some of these headers are quite complex (Content-Security-Policy), so it
> >> might be easiest to just allow the user to set the header manually.
> >
> > For 1.0.final that's probably best, but for the future I think we should
> > figure this out so users doesn't have to ;)
> >
> 
> I originally toyed with the idea of having a simple drop down list for
> options, but when you look at Content-Security-Policy, it is quite
> complex and I didn't want to create this huge UI for it.
> 
> We can set up some good defaults though.

+1 To good defaults, with some options on configuring it in the future

> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> 


More information about the keycloak-dev mailing list