-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 All, I noticed that some components are implementing a custom CORS filter. This is a feature that is provided also by Keycloak, and administrators can use KC to set what are the allowed origins and methods via its UI. If you absolutely need a custom CORS filter for a different reason, make sure to: 1) tell Keycloak to not handle CORS on your behalf. For instance, if I were to disable Keycloak's CORS filter for Accounts, I'd change this line to "false": http://git.io/vTrkl 2) validate the user input ("origin" is a value that can be faked), so that you are not vulnerable to an HTTP splitting attack: https://www.owasp.org/index.php/HTTP_Response_Splitting - - Juca.