Merge pull request #345 from coheigea/sec_headers

Enable X-XSS-Protection + X-Content-Type-Options headers for the webconsole
2019-05-14 07:37:58 +02:00 · 2019-05-14 07:37:58 +02:00 · 1d51c18713
parent a07e7909e5 a48cc820d2
commit 1d51c18713
1 changed files with 11 additions and 1 deletions
--- a/assembly/src/release/conf/jetty.xml
+++ b/assembly/src/release/conf/jetty.xml
@ -54,6 +54,16 @@
                  <property name="name" value="X-FRAME-OPTIONS"/>
                  <property name="value" value="SAMEORIGIN"/>
                </bean>
+                <bean id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
+                  <property name="pattern" value="*"/>
+                  <property name="name" value="X-XSS-Protection"/>
+                  <property name="value" value="1; mode=block"/>
+                </bean>
+                <bean id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
+                  <property name="pattern" value="*"/>
+                  <property name="name" value="X-Content-Type-Options"/>
+                  <property name="value" value="nosniff"/>
+                </bean>
            </list>
        </property>
    </bean>