[keycloak-user] Fwd: CORS disable config?

Joe Rowe josepharowe at gmail.com
Thu Mar 23 08:06:50 EDT 2017


Hi,

I have a question regarding disabling CORS on keycloak realm endpoints.

When sending a request to :

<keycloak server : port>/auth/realms/<valid realm>

And setting an Origin on the request, the response contains an
access-control-allow-origin containing the request origin. Further testing
indicates that all origins are allowed.

This was flagged as a security vulnerability when penetration testing, and
although the content is of course public info, it would be useful if I
could disable CORS here as 1) I do not need to expose this data, and 2) it
would reduce false positives from testing.

Is there a config property for the keycloak standalone that will allow me
to do this? Ive searched this list as well as the keycloak docs and
examples but havent found an answer to this specific case.

Best regards,
Joe


More information about the keycloak-user mailing list