Re: [keycloak-user] Disable CORS on realm endpoints?

Hi Joe, I may have a solution for your problem but that will get rid off all CORS headers of Keycloak. In Keycloak_root/standalone/configuration/standalone.xml: 1. Find '<response-header name="x-powered-by-header" ', 2. Duplicate the line and change the header to whatever you like (each for every CORS header) and leave the value empty. 3. Find '<filter-ref name="x-powered-by-header"/>' 4. Also duplicate that line and change it to any header you like. Hopefully that'd override Keycloak's code. Another solution (recommended), create a proxy server (Netflix Zuul or HAProxy perhaps) and strip away those headers before returning the response. Then you'd be in full control of what headers are returned to the end-user's browser. Good luck! Kind regards, Kevin Berendsen -----Oorspronkelijk bericht----- Van: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org] Namens Joe Rowe Verzonden: donderdag 30 maart 2017 9:18 Aan: keycloak-user(a)lists.jboss.org Onderwerp: [keycloak-user] Disable CORS on realm endpoints? Hi all, Is there a configuration setting which will disable CORS at the endpoint url: <server>/auth/realms/<valid realm> ? CORS is on by default here, but is not needed for our application and causes false positives in pen testing. Any help would be gratefully received! Thanks Joe _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user