Is there a way to configure the Http Headers that Wildfly(10 or more) sends to the client only to configure the following:
HTTPS Strict Transport Security (HSTS)
X-XSS-Protection
X-Frame-Options
Strict-Transport-Security
Content-Security-Policy
X-Content-Type-Options
I have a configuration file(standalone.xml) where all the configurations are present. I need to add the configurations for headers here.
<subsystem xmlns="urn:jboss:domain:undertow:6.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" max-parameters="10000" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content" predicate="not exists[%{o,Content-Security-Policy}]"/>
<http-invoker security-realm="ApplicationRealm"/>
<filter-ref name="Content-Security-Policy"/>
<filter-ref name="x-frame-options"/>
<filter-ref name="x-xss-protection"/>
<filter-ref name="x-content-type-options"/>
<!--filter-ref name="content-security-policy"/-->
<filter-ref name="strict-transport-security"/>
<filter-ref name="my-custom-header"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="JBoss-EAP/7"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
<response-header name="Content-Security-Policy" header-name="Content-Security-Policy" header-value="default-src 'self'"/>
<response-header name="x-frame-options" header-name="X-Frame-Options" header-value="SAMEORIGIN"/>
<response-header name="x-xss-protection" header-name="X-XSS-Protection" header-value="1; mode=block"/>
<response-header name="x-content-type-options" header-name="X-Content-Type-Options" header-value="nosniff"/>
<!--response-header name="content-security-policy" header-name="Content-Security-Policy" header-value="default-src https:"/-->
<response-header name="strict-transport-security" header-name="Strict-Transport-Security" header-value="max-age=31536000; includeSubDomains;"/>
<!-- Add line below -->
<response-header name="my-custom-header" header-name="my-custom-header" header-value="my-custom-value"/>
</filters>
</subsystem>
Adding bit more information to the #merly's response.
These are some of the application best practices while setting security headers to prevent illegal attempts on modifying/reading information.
Content-Security-Policy (CSP)
This header restricts the sources from which the browser will load resources including scripts, styles and media. By permitting only trusted sources and secure HTTPS channels, this header can help prevent XSS and sniffing attacks.
For sites that only load resources from a single web application server, configure the CSP header to only allow resources from that server for all resource types. If resources are loaded from other trusted sources, create a more specific CSP header.
<filter-ref name="Content-Security-Policy"/>
<response-header name="Content-Security-Policy" header-name="Content-Security-Policy" header-value="default-src 'self'"/>
X-Content-Type-Options
This header tells the browser not to infer a resource type by its content and stick to the content type advertised by the application. This can mitigate vulnarabilities such as XSS by preventing the browser from transforming non-executable content into executable content.
<filter-ref name="x-content-type-options"/>
<response-header name="x-content-type-options" header-name="X-Content-Type-Options" header-value="nosniff"/>
X-Frame-Options
If this header is set then it does not allow the application to be opened in the cross domain url.
<filter-ref name="x-frame-options"/>
<response-header name="x-frame-options" header-name="X-Frame-Options" header-value="SAMEORIGIN"/>
Related
I have IIS 10 in front of a reverse proxy.
The reverse proxy sends responses with the header X-Frame-Options.
I need to remove this header from the response when another header is set to something:
Condition : CustomHeader is set to CustomValue
I have tried the following code (that doesn't include the condition because I don't know how to do it) but it doesn't work. The response still includes X-Frame-Options header.
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="" />
</customHeaders>
</httpProtocol>
Does anyone know how to solve that please ?
Thanks.
You can try below setting:
<httpProtocol>
<customHeaders>
<remove name="X-Frame-Options" />
</customHeaders>
</httpProtocol>
More information you can refer to this link: https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httpprotocol/customheaders/#attributes.
The Sonar test suite makes the interesting point that it should be considered bad practice to send the HTTP headers
Content-Security-Policy
X-Content-Security-Policy
X-Frame-Options
X-UA-Compatible
X-WebKit-CSP
X-XSS-Protection
when sending non-HTML resources.
I currently configure my IIS server using web.config, namely
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="default-src 'self' ; img-src 'self' data:; script-src 'self' cdnjs.cloudflare.com/ajax/libs/html5shiv/" />
<add name="X-Frame-Options" value="DENY" />
<add name="X-Content-Type-Options" value="nosniff" />
<add name="X-Permitted-Cross-Domain-Policies" value="none" />
<add name="X-UA-Compatible" value="IE=edge" />
<add name="X-Xss-Protection" value="1; mode=block" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
But that configuration sends those headers no matter the type of the resource send.
How to make IIS selectively add those headers to the right types of files?
You can use the IIS UrlRewrite module (an IIS extension) and add a custom headers only for html resources.
Check this old question.
I have a c# ASP.Net application with an NGINX server as a reversed proxy in front of it. I add a version query parameter for every CSS and JS file I include and all images are immutable. For some JS files however I can't add these parameters so NGINX will cache them for the entire length of the cache control header.
It is possible to overrule the cache control header for proxies by setting the X-Accel-Expires header. However, I don't know how to do this in IIS (web.config) and can't find out either. Does anyone know?
Here's a configuration in the root web.config, it simply adds X-Accel-Expires: 10 for assets/jquery-1.10.1.min.js.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<location path="assets/jquery-1.10.1.min.js">
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Accel-Expires" value="10" />
</customHeaders>
</httpProtocol>
</system.webServer>
</location>
</configuration>
For more information: Custom Headers <customHeaders>
I am trying to remove unwanted Cache-Control, Pragma and Expires HTTP headers in responses from a Web Api 2 project hosted on an Azure website in Standard mode.
I have tried the following in Global.asax Application_PreSendRequestHeaders:
var headers = ((HttpApplication)sender).Context.Response.Headers;
headers.Remove("Cache-Control");
headers.Remove("Pragma");
headers.Remove("Expires");
This works when debugging in Visual Studio. But on Azure, the headers are only removed for GET requests and not HEAD or POST requests.
Grateful for any suggestions!
Azure Web Sites supports the request filtering module, so you can do this in your web.config:
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="Cache-Control" />
<remove name="Pragma" />
<remove name="Expires" />
</customHeaders>
</httpProtocol>
</system.webServer>
Disclaimer: I am not condoning the removal of these headers, which are an essential part of the HTTP protocol.
Removing cache headers says to clients "it is entirely up to you to decide how to cache this response", which may result in odd and hard-to-reproduce errors in production. If you want to disable caching, you should set these headers to values which explicitly disable caching:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Cache-Control" value="no-cache" />
<add name="Pragma" value="no-cache" />
<add name="Expires" value="-1" />
</customHeaders>
</httpProtocol>
</system.webServer>
I would like to specify SSL flags in application web.config file. Actually, I would like to get something like this:
<configuration>
...
<location path="">
<system.webServer>
<security>
<access sslFlags="Ssl" />
</security>
</system.webServer>
</location>
<location path="Public">
<system.webServer>
<security>
<access sslFlags="None" />
</security>
</system.webServer>
</location>
...
</configuration>
But I found that "SSL Settings" feature delegation is disabled by default.
So I'm wondering if it's dangerous to enable this or not. I can't imagine why this can be dangerous... But I'm confused with default IIS settings.