[keycloak-user] Disable strict-transport-security header on /auth url

Stian Thorgersen sthorger at redhat.com
Mon Oct 1 18:05:13 EDT 2018


You really do need to use https for both Keycloak and your applications
otherwise you have basically no security, especially with token based
security. Rather than try to circumvent this I strongly suggest you enable
https everywhere.

On Mon, 1 Oct 2018, 21:57 Tungatkar, Niranjan, <Niranjan.Tungatkar at arris.com>
wrote:

>
> I have a non-homogeneous set of services (https and http) which use
> keycloak for authentication.
> My Keycloak instance supports SSL but the services but other services are
> http.
>
> I have an admin user which access the https://keycloak-url:31443/auth url
> for user management.
>
>
> I disabled the strict transport security header on all the realms, which
> stops strict-transport-security header being sent and thus preventing
> redirection to https.
>
> But my problem is whenever the admin user hits the /auth url it sends
> strict-transport-security header which messes up my angular app.
>
> Is there a way I can configure the response of /auth or the welcome page
> to stop sending the strict-transport-security header.
>
> Thanks
> Niranjan.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list