HTTP Security Header Not Detected in JBoss EAP 6.4

Question

We need to fix a vulnerability in JBoss EAP 6.4 which is related to HTTP Security Header Not Detected (QID 11827).

This vulnerability is reported on the application server layer, and not on IHS. All the suggestions online are for JBoss EAP 7.x (undertow subsystem), and not applicable to JBoss EAP 6.4 (web subsystem).

I have tried to add filters under the WEB subsystem, in the standalone.xml, but it has not worked. Probably I am not using the correct format/syntax.

Please advise.

Panagiotis Chavariotis Panagiotis Chavariotis · Accepted Answer · 2020-10-12T09:31:44

The aforementioned QID (11827) is detected when the following HTTP Headers are missing:

X-Frame-Options
X-XSS-Protection HTTP
X-Content-Type-Options
Strict-Transport-Security

A nice and easy way to set theses headers is by implementing a custom filter. Please note that this is for a specific web application !

If you want to set these http headers globally, then you must implement a custom valve!

HTTP Security Header Not Detected in JBoss EAP 6.4

1 Answers