[jboss-jira] [JBoss JIRA] (WFLY-12155) Add X-XSS-Protection header to default management config
Jan Stourac (Jira)
issues at jboss.org
Mon Jun 3 04:02:00 EDT 2019
Jan Stourac created WFLY-12155:
----------------------------------
Summary: Add X-XSS-Protection header to default management config
Key: WFLY-12155
URL: https://issues.jboss.org/browse/WFLY-12155
Project: WildFly
Issue Type: Enhancement
Components: Management
Affects Versions: 16.0.0.Final
Reporter: Jan Stourac
Assignee: Jeff Mesnil
Even though we should probably avoid using non-standardized HTTP headers, since there is already X-FRAME-OPTIONS present in a management WFCORE-1463, I propose to consider to add also [X-XSS-PROTECTION|https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection] header in a default configuration of the management too.
Benefit is slightly improved security for customers using Web Console management.
Viable value variants are one of the following two:
{code}
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
{code}
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
More information about the jboss-jira
mailing list