Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-4511

Add X-Content-Type-Options header to default management config

XMLWordPrintable

    • Icon: Enhancement Enhancement
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • Management
    • None

      Even though we should probably avoid using non-standardized HTTP headers, since there is already X-FRAME-OPTIONS present in a management WFCORE-1463, I propose to consider to add also X-Content-Type-Options header in a default configuration of the management too.

      Benefit is slightly improved security for customers using Web Console management.

      Current header provided:

      curl -v http://localhost:9990/console/index.html
...
< HTTP/1.1 200 OK
< Connection: keep-alive
< Last-Modified: Wed, 29 May 2019 11:09:49 GMT
< X-Frame-Options: SAMEORIGIN
< Content-Length: 1289
< Content-Type: text/html
< Accept-Ranges: bytes
< Date: Mon, 03 Jun 2019 08:05:05 GMT
...

            jmesnil1@redhat.com Jeff Mesnil
            jstourac@redhat.com Jan Stourac
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: