[keycloak-user] Disable CORS on realm endpoints?
Kevin Berendsen
kevin.berendsen at pharmapartners.nl
Thu Apr 6 08:37:28 EDT 2017
Hi Joe,
I may have a solution for your problem but that will get rid off all CORS headers of Keycloak.
In Keycloak_root/standalone/configuration/standalone.xml:
1. Find '<response-header name="x-powered-by-header" ',
2. Duplicate the line and change the header to whatever you like (each for every CORS header) and leave the value empty.
3. Find '<filter-ref name="x-powered-by-header"/>'
4. Also duplicate that line and change it to any header you like.
Hopefully that'd override Keycloak's code.
Another solution (recommended), create a proxy server (Netflix Zuul or HAProxy perhaps) and strip away those headers before returning the response. Then you'd be in full control of what headers are returned to the end-user's browser.
Good luck!
Kind regards,
Kevin Berendsen
-----Oorspronkelijk bericht-----
Van: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Namens Joe Rowe
Verzonden: donderdag 30 maart 2017 9:18
Aan: keycloak-user at lists.jboss.org
Onderwerp: [keycloak-user] Disable CORS on realm endpoints?
Hi all,
Is there a configuration setting which will disable CORS at the endpoint
url:
<server>/auth/realms/<valid realm>
?
CORS is on by default here, but is not needed for our application and causes false positives in pen testing.
Any help would be gratefully received!
Thanks
Joe
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list