[jboss-jira] [JBoss JIRA] (WFCORE-4512) Add X-XSS-Protection header to default management config
Brian Stansberry (Jira)
issues at jboss.org
Fri Jun 7 11:29:00 EDT 2019
[ https://issues.jboss.org/browse/WFCORE-4512?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brian Stansberry moved WFLY-12155 to WFCORE-4512:
-------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-4512 (was: WFLY-12155)
Component/s: Management
(was: Management)
Affects Version/s: (was: 16.0.0.Final)
> Add X-XSS-Protection header to default management config
> --------------------------------------------------------
>
> Key: WFCORE-4512
> URL: https://issues.jboss.org/browse/WFCORE-4512
> Project: WildFly Core
> Issue Type: Enhancement
> Components: Management
> Reporter: Jan Stourac
> Assignee: Jeff Mesnil
> Priority: Major
>
> Even though we should probably avoid using non-standardized HTTP headers, since there is already X-FRAME-OPTIONS present in a management WFCORE-1463, I propose to consider to add also [X-XSS-Protection|https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection] header in a default configuration of the management too.
> Benefit is slightly improved security for customers using Web Console management.
> Viable value variants are one of the following two:
> {code}
> X-XSS-Protection: 1
> X-XSS-Protection: 1; mode=block
> {code}
> Current header provided:
> {code}
> curl -v http://localhost:9990/console/index.html
> ...
> < HTTP/1.1 200 OK
> < Connection: keep-alive
> < Last-Modified: Wed, 29 May 2019 11:09:49 GMT
> < X-Frame-Options: SAMEORIGIN
> < Content-Length: 1289
> < Content-Type: text/html
> < Accept-Ranges: bytes
> < Date: Mon, 03 Jun 2019 08:05:05 GMT
> ...
> {code}
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
More information about the jboss-jira
mailing list