Do you know if there is a standard way to configure the Http Headers that JBoss EAP 7 sends to the client? I am mainly interested in being able to configure the following ones:
- X-XSS-Protection
- X-Frame-Options
- Strict-Transport-Security
- Content-Security-Policy
- X-Content-Type-Options
I found this link on the internet
https://blog.akquinet.de/2017/08/03/wildfly-8-10-and-jboss-eap-7-verbose-http-headers/
but I am not sure whether I can use it for the headers I am interested in.
Thank you!
As per the JBoss EAP 7 documentation:
Previous releases of JBoss EAP supported valves. Valves are custom classes inserted into the request processing pipeline for an application before servlet filters to make changes to the request or perform additional processing. Global valves are inserted into the request processing pipeline of all deployed applications. Authenticator valves authenticate the credentials of the request. Valves were created by extending the org.apache.catalina.valves.ValveBase class and configured in the element of the jboss-web.xml descriptor file.
Undertow, which replaces JBoss Web in JBoss EAP 7, does not support valves; however, you should be able to achieve similar functionality by using Undertow handlers. Undertow includes a number of built-in handlers that provide common functionality. It also provides the ability to create custom handlers, which can be used to replace custom valve functionality.
You can still go this route for complex situations however now in utilizing Undertow add response headers been simplified as you can just add custom headers to the JBoss Undertow Subsystem, you're filters section will change from this:
<filters>
<response-header name="server-header" header-name="Server" header-value="JBoss-EAP/7"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
To this:
<filters>
<response-header name="server-header" header-name="Server" header-value="JBoss-EAP/7"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
<!-- Begin custom Headers -->
<response-header name="x-xss-protection" header-name="X-XSS-Protection" header-value=""/>
<response-header name="x-frame-options" header-name="X-Frame-Options" header-value=""/>
<response-header name="strict-transport-security" header-name="Strict-Transport-Security" header-value=""/>
<response-header name="content-security-policy" header-name="Content-Security-Policy" header-value=""/>
<response-header name="x-Content-type-options" header-name="X-Content-Type-Options" header-value=""/>
</filters>
I'll leave it up to everyone else to determine the values they'd like to place for the headers (save some editing during copy/paste)
Look the link of Jboss EAP 7: Configuring Filters
Open your standalone.xml in the directory JBoss EAP 7 and search "urn:jboss:domain:undertow" in this xml, then add your custom filter rules like:
<filters>
<response-header name="server-header" header-name="Server" header-value="JBoss-EAP/7"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
<!--your custom rules in detail-->
<response-header name="x-frame-options" header-name="X-Frame-Options" header-value=""/>
</filters>
Don't forget to add <filter-ref name="x-frame-options"/> in
<subsystem xmlns="urn:jboss:domain:undertow:4.0">
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
<!--declare your custom rules here-->
<filter-ref name="x-frame-options"/>
<single-sign-on http-only="true" secure="true"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</subsystem>
来源:https://stackoverflow.com/questions/48643257/configure-http-headers-in-jboss-eap-7