From: "Bill Burke" <bburke(a)redhat.com&gt; To: keycloak-dev(a)lists.jboss.org Sent: Monday, 11 August, 2014 4:19:26 PM Subject: [keycloak-dev] security headers/realm attributes I'm going to add realm attributes to JPA model and move some stuff there (brute force settings for example) Also, I'm going to add a new menu item "Attack Prevention" (if you can think of a better name, let me know). Under this I'll move "Brute Force Protection". Eventually we'll probably put IP Filtering there. Also, will add a "Security Headers". Under this will allow you to manually set these headers:

https://www.owasp.org/index.php/List_of_useful_HTTP_headers By default, iframe will use a same origin policy. Some of these headers are quite complex (Content-Security-Policy), so it might be easiest to just allow the user to set the header manually.

-- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

From: "Bill Burke" <bburke(a)redhat.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Monday, 11 August, 2014 4:50:41 PM Subject: Re: [keycloak-dev] security headers/realm attributes On 8/11/2014 11:33 AM, Stian Thorgersen wrote: > > > ----- Original Message ----- >> From: "Bill Burke" <bburke(a)redhat.com&gt; >> To: keycloak-dev(a)lists.jboss.org >> Sent: Monday, 11 August, 2014 4:19:26 PM >> Subject: [keycloak-dev] security headers/realm attributes >> >> I'm going to add realm attributes to JPA model and move some stuff there >> (brute force settings for example) >> >> Also, I'm going to add a new menu item "Attack Prevention" (if you can >> think of a better name, let me know). Under this I'll move "Brute Force >> Protection". Eventually we'll probably put IP Filtering there. Also, >> will add a "Security Headers". Under this will allow you to manually >> set these headers: > > "Intrusion prevention"? > > BTW the number of tabs on realm settings makes it span multiple rows if > social is enabled > I didn't see this problem on Firefox unless you seriously minimized your browser screen. I added more submenus because the Settings page was scrolling off the page and you might not know some things exist. I can break out roles/default roles into a new menu item?

>> >> https://www.owasp.org/index.php/List_of_useful_HTTP_headers >> >> By default, iframe will use a same origin policy. >> >> Some of these headers are quite complex (Content-Security-Policy), so it >> might be easiest to just allow the user to set the header manually. > > For 1.0.final that's probably best, but for the future I think we should > figure this out so users doesn't have to ;) > I originally toyed with the idea of having a simple drop down list for options, but when you look at Content-Security-Policy, it is quite complex and I didn't want to create this huge UI for it. We can set up some good defaults though.

-- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com