[jboss-jira] [JBoss JIRA] (WFLY-12155) Add X-XSS-Protection header to default management config
Jan Stourac (Jira)
issues at jboss.org
Mon Jun 3 04:07:00 EDT 2019
[ https://issues.jboss.org/browse/WFLY-12155?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jan Stourac updated WFLY-12155:
-------------------------------
Description:
Even though we should probably avoid using non-standardized HTTP headers, since there is already X-FRAME-OPTIONS present in a management WFCORE-1463, I propose to consider to add also [X-XSS-Protection|https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection] header in a default configuration of the management too.
Benefit is slightly improved security for customers using Web Console management.
Viable value variants are one of the following two:
{code}
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
{code}
Current header provided:
{code}
curl -v http://localhost:9990/console/index.html
...
< HTTP/1.1 200 OK
< Connection: keep-alive
< Last-Modified: Wed, 29 May 2019 11:09:49 GMT
< X-Frame-Options: SAMEORIGIN
< Content-Length: 1289
< Content-Type: text/html
< Accept-Ranges: bytes
< Date: Mon, 03 Jun 2019 08:05:05 GMT
...
{code}
was:
Even though we should probably avoid using non-standardized HTTP headers, since there is already X-FRAME-OPTIONS present in a management WFCORE-1463, I propose to consider to add also [X-XSS-PROTECTION|https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection] header in a default configuration of the management too.
Benefit is slightly improved security for customers using Web Console management.
Viable value variants are one of the following two:
{code}
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
{code}
> Add X-XSS-Protection header to default management config
> --------------------------------------------------------
>
> Key: WFLY-12155
> URL: https://issues.jboss.org/browse/WFLY-12155
> Project: WildFly
> Issue Type: Enhancement
> Components: Management
> Affects Versions: 16.0.0.Final
> Reporter: Jan Stourac
> Assignee: Jeff Mesnil
> Priority: Major
>
> Even though we should probably avoid using non-standardized HTTP headers, since there is already X-FRAME-OPTIONS present in a management WFCORE-1463, I propose to consider to add also [X-XSS-Protection|https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection] header in a default configuration of the management too.
> Benefit is slightly improved security for customers using Web Console management.
> Viable value variants are one of the following two:
> {code}
> X-XSS-Protection: 1
> X-XSS-Protection: 1; mode=block
> {code}
> Current header provided:
> {code}
> curl -v http://localhost:9990/console/index.html
> ...
> < HTTP/1.1 200 OK
> < Connection: keep-alive
> < Last-Modified: Wed, 29 May 2019 11:09:49 GMT
> < X-Frame-Options: SAMEORIGIN
> < Content-Length: 1289
> < Content-Type: text/html
> < Accept-Ranges: bytes
> < Date: Mon, 03 Jun 2019 08:05:05 GMT
> ...
> {code}
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
More information about the jboss-jira
mailing list