[jboss-jira] [JBoss JIRA] (WFCORE-4512) Add X-XSS-Protection header to default management config

Add X-XSS-Protection header to default management config -------------------------------------------------------- Key: WFCORE-4512 URL: https://issues.jboss.org/browse/WFCORE-4512 Project: WildFly Core Issue Type: Enhancement Components: Management Reporter: Jan Stourac Assignee: Jeff Mesnil Priority: Major Even though we should probably avoid using non-standardized HTTP headers, since there is already X-FRAME-OPTIONS present in a management WFCORE-1463, I propose to consider to add also [X-XSS-Protection|https://developer.mozilla.org/en-US/docs/Web/HTTP/Header...] header in a default configuration of the management too. Benefit is slightly improved security for customers using Web Console management. Viable value variants are one of the following two: {code} X-XSS-Protection: 1 X-XSS-Protection: 1; mode=block {code} Current header provided: {code} curl -v http://localhost:9990/console/index.html ... < HTTP/1.1 200 OK < Connection: keep-alive < Last-Modified: Wed, 29 May 2019 11:09:49 GMT < X-Frame-Options: SAMEORIGIN < Content-Length: 1289 < Content-Type: text/html < Accept-Ranges: bytes < Date: Mon, 03 Jun 2019 08:05:05 GMT ... {code}