Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-4512

Add X-XSS-Protection header to default management config

    XMLWordPrintable

Details

    • Enhancement
    • Resolution: Unresolved
    • Major
    • None
    • None
    • Management
    • None

    Description

      Even though we should probably avoid using non-standardized HTTP headers, since there is already X-FRAME-OPTIONS present in a management WFCORE-1463, I propose to consider to add also X-XSS-Protection header in a default configuration of the management too.

      Benefit is slightly improved security for customers using Web Console management.

      Viable value variants are one of the following two:

      X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block

      Current header provided:

      curl -v http://localhost:9990/console/index.html
...
< HTTP/1.1 200 OK
< Connection: keep-alive
< Last-Modified: Wed, 29 May 2019 11:09:49 GMT
< X-Frame-Options: SAMEORIGIN
< Content-Length: 1289
< Content-Type: text/html
< Accept-Ranges: bytes
< Date: Mon, 03 Jun 2019 08:05:05 GMT
...

      Attachments

        Issue Links

          is related to

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) WFCORE-4511 Add X-Content-Type-Options header to default management config

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Open

          Activity

            People

              jmesnil1@redhat.com Jeff Mesnil
              jstourac@redhat.com Jan Stourac
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated: