[keycloak-user] Disable CORS on realm endpoints?

Joe Rowe josepharowe at gmail.com
Thu Apr 6 10:11:41 EDT 2017 

Hi Kevin,

Thanks a lot for your reply. I gave your suggestion a shot but
unfortunately the CORS related headers are still present, only duplicated
with the blank ones too.

Thanks again for the suggestion all the same, it seemed very promising !

Joe

On Thu, 6 Apr 2017, 14:27 Kevin Berendsen, <
kevin.berendsen at pharmapartners.nl> wrote:

> Hi Joe,
>
> I may have a solution for your problem but that will get rid off all CORS
> headers of Keycloak.
>
> In Keycloak_root/standalone/configuration/standalone.xml:
> 1. Find  '<response-header name="x-powered-by-header" ',
> 2. Duplicate the line and change the header to whatever you like (each for
> every CORS header) and leave the value empty.
> 3. Find '<filter-ref name="x-powered-by-header"/>'
> 4. Also duplicate that line and change it to any header you like.
> Hopefully that'd override Keycloak's code.
>
> Another solution (recommended), create a proxy server (Netflix Zuul or
> HAProxy perhaps) and strip away those headers before returning the
> response. Then you'd be in full control of what headers are returned to the
> end-user's browser.
>
> Good luck!
>
> Kind regards,
> Kevin Berendsen
>
> -----Oorspronkelijk bericht-----
> Van: keycloak-user-bounces at lists.jboss.org [mailto:
> keycloak-user-bounces at lists.jboss.org] Namens Joe Rowe
> Verzonden: donderdag 30 maart 2017 9:18
> Aan: keycloak-user at lists.jboss.org
> Onderwerp: [keycloak-user] Disable CORS on realm endpoints?
>
> Hi all,
>
> Is there a configuration setting which will disable CORS at the endpoint
> url:
> <server>/auth/realms/<valid realm>
> ?
>
> CORS is on by default here, but is not needed for our application and
> causes false positives in pen testing.
>
> Any help would be gratefully received!
>
> Thanks
> Joe
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list