Re: [keycloak-dev] security headers/realm attributes
On 8/11/2014 11:33 AM, Stian Thorgersen wrote:
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Monday, 11 August, 2014 4:19:26 PM
> Subject: [keycloak-dev] security headers/realm attributes
>
> I'm going to add realm attributes to JPA model and move some stuff there
> (brute force settings for example)
>
> Also, I'm going to add a new menu item "Attack Prevention" (if you
can
> think of a better name, let me know). Under this I'll move "Brute Force
> Protection". Eventually we'll probably put IP Filtering there. Also,
> will add a "Security Headers". Under this will allow you to manually
> set these headers:
"Intrusion prevention"?
BTW the number of tabs on realm settings makes it span multiple rows if social is
enabled
I didn't see this problem on Firefox unless you seriously minimized your
browser screen. I added more submenus because the Settings page was
scrolling off the page and you might not know some things exist.
I can break out roles/default roles into a new menu item?
>
> https://www.owasp.org/index.php/List_of_useful_HTTP_headers
>
> By default, iframe will use a same origin policy.
>
> Some of these headers are quite complex (Content-Security-Policy), so it
> might be easiest to just allow the user to set the header manually.
For 1.0.final that's probably best, but for the future I think we should figure this
out so users doesn't have to ;)
I originally toyed with the idea of having a simple drop down list for
options, but when you look at Content-Security-Policy, it is quite
complex and I didn't want to create this huge UI for it.
We can set up some good defaults though.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com