Hi Joe,
I may have a solution for your problem but that will get rid off all CORS headers of
Keycloak.
In Keycloak_root/standalone/configuration/standalone.xml:
1. Find '<response-header name="x-powered-by-header" ',
2. Duplicate the line and change the header to whatever you like (each for every CORS
header) and leave the value empty.
3. Find '<filter-ref name="x-powered-by-header"/>'
4. Also duplicate that line and change it to any header you like.
Hopefully that'd override Keycloak's code.
Another solution (recommended), create a proxy server (Netflix Zuul or HAProxy perhaps)
and strip away those headers before returning the response. Then you'd be in full
control of what headers are returned to the end-user's browser.
Good luck!
Kind regards,
Kevin Berendsen
-----Oorspronkelijk bericht-----
Van: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
Namens Joe Rowe
Verzonden: donderdag 30 maart 2017 9:18
Aan: keycloak-user(a)lists.jboss.org
Onderwerp: [keycloak-user] Disable CORS on realm endpoints?
Hi all,
Is there a configuration setting which will disable CORS at the endpoint
url:
<server>/auth/realms/<valid realm>
?
CORS is on by default here, but is not needed for our application and causes false
positives in pen testing.
Any help would be gratefully received!
Thanks
Joe
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user