Set HttpResponse headers in Wildfly 10
To prevent Web Security vulnerability we are often required to set various HTTP Response headers.
Some of the Headers are as follows
1. X-Content-Type-Options
The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed.
2. X-XSS-Protection
If this header is set then the site is not loaded in the browser if Cross-Site Scripting is detected.
3. Cache-Control
This header allows identifying whether the resource loaded in the browser should be from cache or taken from the server. If NO-CACHE is set then it
every time loads the resource from the server and not from the cache.
4. X-Frame-Options
If this header is set then it does not allow the application to be opened in the cross-domain URL.
5. Pragma
This header is similar to Cache-Control which has a NO-CACHE value and does the same thing i.e. to get the resource from cache or not, the only difference is it was introduced in HTTP 1.0 so to support the older versions it is still used.
So these headers can be configured as a filter in standalone.xml or domain.xml depending on the server mode for every request.
Below is the snippet wherein the HTTP Response headers are configured as filters in the undertow subsystem and it will be applicable for all the requests. This can be verified on any browser by opening the developer's tool.
<subsystem xmlns="urn:jboss:domain:undertow:3.1"> <buffer-cache name="default" /> <server name="default-server"> <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true" /> <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true" /> <host name="default-host"> <location name="/" handler="welcome-content" /> <filter-ref name="xXssProtection" /> <filter-ref name="xContentTypeOptions" /> <filter-ref name="cacheControl" /> <filter-ref name="Pragma" /> <filter-ref name="xFrameOptions" /> </host> </server> <servlet-container name="default" eager-filter-initialization="true"> <jsp-config /> <websockets /> </servlet-container> <handlers> <file name="welcome-content" path="${jboss.home.dir}/welcome-content" /> </handlers> <filters> <response-header name="xXssProtection" header-name="X-XSS-Protection" header-value="1; mode=block" /> <response-header name="xContentTypeOptions" header-name="X-Content-Type-Options" header-value="nosniff" /> <response-header name="cacheControl" header-name="CACHE-CONTROL" header-value="NO-CACHE" /> <response-header name="Pragma" header-name="PRAGMA" header-value="NO-CACHE" /> <response-header name="xFrameOptions" header-name="X-Frame-Options" header-value="SAMEORIGIN" /> </filters> </subsystem>
Some of the Headers are as follows
1. X-Content-Type-Options
The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed.
2. X-XSS-Protection
If this header is set then the site is not loaded in the browser if Cross-Site Scripting is detected.
3. Cache-Control
This header allows identifying whether the resource loaded in the browser should be from cache or taken from the server. If NO-CACHE is set then it
every time loads the resource from the server and not from the cache.
4. X-Frame-Options
If this header is set then it does not allow the application to be opened in the cross-domain URL.
5. Pragma
This header is similar to Cache-Control which has a NO-CACHE value and does the same thing i.e. to get the resource from cache or not, the only difference is it was introduced in HTTP 1.0 so to support the older versions it is still used.
So these headers can be configured as a filter in standalone.xml or domain.xml depending on the server mode for every request.
Below is the snippet wherein the HTTP Response headers are configured as filters in the undertow subsystem and it will be applicable for all the requests. This can be verified on any browser by opening the developer's tool.
<subsystem xmlns="urn:jboss:domain:undertow:3.1"> <buffer-cache name="default" /> <server name="default-server"> <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true" /> <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true" /> <host name="default-host"> <location name="/" handler="welcome-content" /> <filter-ref name="xXssProtection" /> <filter-ref name="xContentTypeOptions" /> <filter-ref name="cacheControl" /> <filter-ref name="Pragma" /> <filter-ref name="xFrameOptions" /> </host> </server> <servlet-container name="default" eager-filter-initialization="true"> <jsp-config /> <websockets /> </servlet-container> <handlers> <file name="welcome-content" path="${jboss.home.dir}/welcome-content" /> </handlers> <filters> <response-header name="xXssProtection" header-name="X-XSS-Protection" header-value="1; mode=block" /> <response-header name="xContentTypeOptions" header-name="X-Content-Type-Options" header-value="nosniff" /> <response-header name="cacheControl" header-name="CACHE-CONTROL" header-value="NO-CACHE" /> <response-header name="Pragma" header-name="PRAGMA" header-value="NO-CACHE" /> <response-header name="xFrameOptions" header-name="X-Frame-Options" header-value="SAMEORIGIN" /> </filters> </subsystem>
Sakina,
ReplyDeleteThanks for the detailed post.
I tried with the filter options you mentioned here, however when I restart the server I get the following error, can you please suggest me on what else I need to do to get it working. I am using Wildfly 10.5 , I would greatly appreciate if you could respond soon. P.S I get similar errors for other filter options also.
Thanks in advance for your help.
Raj
14:13:23,045 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
("subsystem" => "undertow"),
("server" => "default-server"),
("host" => "default-host"),
("filter-ref" => "xXssProtection")
]) - failure description: {
"WFLYCTL0412: Required services that are not installed:" => ["jboss.undertow.filter.xXssProtection"],
"WFLYCTL0180: Services with missing/unavailable dependencies" => ["jboss.undertow.server.default-server.default-host.filter-ref.xXssProtection is missing [jboss.undertow.filter.xXssProtection]"]
}