[ https://issues.jboss.org/browse/WFLY-12155?page=com.atlassian.jira.plugin... ] Jan Stourac updated WFLY-12155: ------------------------------- Description: Even though we should probably avoid using non-standardized HTTP headers, since there is already X-FRAME-OPTIONS present in a management WFCORE-1463, I propose to consider to add also [X-XSS-Protection|https://developer.mozilla.org/en-US/docs/Web/HTTP/Header...] header in a default configuration of the management too. Benefit is slightly improved security for customers using Web Console management. Viable value variants are one of the following two: {code} X-XSS-Protection: 1 X-XSS-Protection: 1; mode=block {code} Current header provided: {code} curl -v http://localhost:9990/console/index.html ... < HTTP/1.1 200 OK < Connection: keep-alive < Last-Modified: Wed, 29 May 2019 11:09:49 GMT < X-Frame-Options: SAMEORIGIN < Content-Length: 1289 < Content-Type: text/html < Accept-Ranges: bytes < Date: Mon, 03 Jun 2019 08:05:05 GMT ... {code} was: Even though we should probably avoid using non-standardized HTTP headers, since there is already X-FRAME-OPTIONS present in a management WFCORE-1463, I propose to consider to add also [X-XSS-PROTECTION|https://developer.mozilla.org/en-US/docs/Web/HTTP/Header...] header in a default configuration of the management too. Benefit is slightly improved security for customers using Web Console management. Viable value variants are one of the following two: {code} X-XSS-Protection: 1 X-XSS-Protection: 1; mode=block {code} -- This message was sent by Atlassian Jira (v7.12.1#712002)