2:18 a.m.
Hi all,
Is there a configuration setting which will disable CORS at the endpoint
url:
<server>/auth/realms/<valid realm>
?
CORS is on by default here, but is not needed for our application and
causes false positives in pen testing.
Any help would be gratefully received!
Thanks
Joe
7:37 a.m.
Hi Joe,
I may have a solution for your problem but that will get rid off all CORS headers of
Keycloak.
In Keycloak_root/standalone/configuration/standalone.xml:
1. Find '<response-header name="x-powered-by-header" ',
2. Duplicate the line and change the header to whatever you like (each for every CORS
header) and leave the value empty.
3. Find '<filter-ref name="x-powered-by-header"/>'
4. Also duplicate that line and change it to any header you like.
Hopefully that'd override Keycloak's code.
Another solution (recommended), create a proxy server (Netflix Zuul or HAProxy perhaps)
and strip away those headers before returning the response. Then you'd be in full
control of what headers are returned to the end-user's browser.
Good luck!
Kind regards,
Kevin Berendsen
-----Oorspronkelijk bericht-----
Van: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
Namens Joe Rowe
Verzonden: donderdag 30 maart 2017 9:18
Aan: keycloak-user(a)lists.jboss.org
Onderwerp: [keycloak-user] Disable CORS on realm endpoints?
Hi all,
Is there a configuration setting which will disable CORS at the endpoint
url:
<server>/auth/realms/<valid realm>
?
CORS is on by default here, but is not needed for our application and causes false
positives in pen testing.
Any help would be gratefully received!
Thanks
Joe
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:11 a.m.
Hi Kevin,
Thanks a lot for your reply. I gave your suggestion a shot but
unfortunately the CORS related headers are still present, only duplicated
with the blank ones too.
Thanks again for the suggestion all the same, it seemed very promising !
Joe
On Thu, 6 Apr 2017, 14:27 Kevin Berendsen, <
kevin.berendsen(a)pharmapartners.nl> wrote:
Hi Joe,
I may have a solution for your problem but that will get rid off all CORS
headers of Keycloak.
In Keycloak_root/standalone/configuration/standalone.xml:
1. Find '<response-header name="x-powered-by-header" ',
2. Duplicate the line and change the header to whatever you like (each for
every CORS header) and leave the value empty.
3. Find '<filter-ref name="x-powered-by-header"/>'
4. Also duplicate that line and change it to any header you like.
Hopefully that'd override Keycloak's code.
Another solution (recommended), create a proxy server (Netflix Zuul or
HAProxy perhaps) and strip away those headers before returning the
response. Then you'd be in full control of what headers are returned to the
end-user's browser.
Good luck!
Kind regards,
Kevin Berendsen
-----Oorspronkelijk bericht-----
Van: keycloak-user-bounces(a)lists.jboss.org [mailto:
keycloak-user-bounces(a)lists.jboss.org] Namens Joe Rowe
Verzonden: donderdag 30 maart 2017 9:18
Aan: keycloak-user(a)lists.jboss.org
Onderwerp: [keycloak-user] Disable CORS on realm endpoints?
Hi all,
Is there a configuration setting which will disable CORS at the endpoint
url:
<server>/auth/realms/<valid realm>
?
CORS is on by default here, but is not needed for our application and
causes false positives in pen testing.
Any help would be gratefully received!
Thanks
Joe
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2847
days inactive
2854
days old
2 comments
2 participants
participants (2)
-
Joe Rowe -
Kevin Berendsen