Use HTTPS and only HTTPS for management interfaces in default configuration --------------------------------------------------------------------------- Key: WFLY-12095 URL: https://issues.jboss.org/browse/WFLY-12095 Project: WildFly Issue Type: Enhancement Components: Management, Security Affects Versions: 16.0.0.Final Reporter: Jan Stourac Priority: Major Current default configuration of WildFly uses plaintext HTTP for management interfaces that are used for web-console access. Even though, that it is possible to switch to HTTPS after login to web-console, I believe we should incorporate HTTPS and only HTTPS configuration of management interfaces in our default WildFly configuration. Note that there is digest-auth used for web-console login, thus password is not sent in a plain-text over the network, although there is still possibility of MITM attack, as such one can see what management operations are performed (actual request payload is binary, although I presume that it is easy to decode when one knows how to do it). Yes, I understand that by default, there will be just a self-signed certificate generated for server on first HTTPS request, but I believe it is still an improvement.