[jboss-jira] [JBoss JIRA] (WFCORE-4511) Add X-Content-Type-Options header to default management config
Brian Stansberry (Jira)
issues at jboss.org
Fri Jun 7 11:28:00 EDT 2019
[ https://issues.jboss.org/browse/WFCORE-4511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brian Stansberry moved WFLY-12156 to WFCORE-4511:
-------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-4511 (was: WFLY-12156)
Component/s: Management
(was: Management)
Affects Version/s: (was: 16.0.0.Final)
> Add X-Content-Type-Options header to default management config
> --------------------------------------------------------------
>
> Key: WFCORE-4511
> URL: https://issues.jboss.org/browse/WFCORE-4511
> Project: WildFly Core
> Issue Type: Enhancement
> Components: Management
> Reporter: Jan Stourac
> Assignee: Jeff Mesnil
> Priority: Major
>
> Even though we should probably avoid using non-standardized HTTP headers, since there is already X-FRAME-OPTIONS present in a management WFCORE-1463, I propose to consider to add also [X-Content-Type-Options|https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options] header in a default configuration of the management too.
> Benefit is slightly improved security for customers using Web Console management.
> Current header provided:
> {code}
> curl -v http://localhost:9990/console/index.html
> ...
> < HTTP/1.1 200 OK
> < Connection: keep-alive
> < Last-Modified: Wed, 29 May 2019 11:09:49 GMT
> < X-Frame-Options: SAMEORIGIN
> < Content-Length: 1289
> < Content-Type: text/html
> < Accept-Ranges: bytes
> < Date: Mon, 03 Jun 2019 08:05:05 GMT
> ...
> {code}
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
More information about the jboss-jira
mailing list