[keycloak-dev] security headers/realm attributes
Bill Burke
bburke at redhat.com
Mon Aug 11 11:50:41 EDT 2014
On 8/11/2014 11:33 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Monday, 11 August, 2014 4:19:26 PM
>> Subject: [keycloak-dev] security headers/realm attributes
>>
>> I'm going to add realm attributes to JPA model and move some stuff there
>> (brute force settings for example)
>>
>> Also, I'm going to add a new menu item "Attack Prevention" (if you can
>> think of a better name, let me know). Under this I'll move "Brute Force
>> Protection". Eventually we'll probably put IP Filtering there. Also,
>> will add a "Security Headers". Under this will allow you to manually
>> set these headers:
>
> "Intrusion prevention"?
>
> BTW the number of tabs on realm settings makes it span multiple rows if social is enabled
>
I didn't see this problem on Firefox unless you seriously minimized your
browser screen. I added more submenus because the Settings page was
scrolling off the page and you might not know some things exist.
I can break out roles/default roles into a new menu item?
>>
>> https://www.owasp.org/index.php/List_of_useful_HTTP_headers
>>
>> By default, iframe will use a same origin policy.
>>
>> Some of these headers are quite complex (Content-Security-Policy), so it
>> might be easiest to just allow the user to set the header manually.
>
> For 1.0.final that's probably best, but for the future I think we should figure this out so users doesn't have to ;)
>
I originally toyed with the idea of having a simple drop down list for
options, but when you look at Content-Security-Policy, it is quite
complex and I didn't want to create this huge UI for it.
We can set up some good defaults though.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list