Configure Http Headers in JBoss EAP 7

Question

Do you know if there is a standard way to configure the Http Headers that JBoss EAP 7 sends to the client? I am mainly interested in being able to configure the following ones:

• X-XSS-Protection
• X-Frame-Options
• Strict-Transport-Security
• Content-Security-Policy
• X-Content-Type-Options

I found this link on the internet

https://blog.akquinet.de/2017/08/03/wildfly-8-10-and-jboss-eap-7-verbose-http-headers/

but I am not sure whether I can use it for the headers I am interested in.

Thank you!

Answer 1

As per the JBoss EAP 7 documentation:

Previous releases of JBoss EAP supported valves. Valves are custom classes inserted into the request processing pipeline for an application before servlet filters to make changes to the request or perform additional processing. Global valves are inserted into the request processing pipeline of all deployed applications. Authenticator valves authenticate the credentials of the request. Valves were created by extending the org.apache.catalina.valves.ValveBase class and configured in the element of the jboss-web.xml descriptor file.

Undertow, which replaces JBoss Web in JBoss EAP 7, does not support valves; however, you should be able to achieve similar functionality by using Undertow handlers. Undertow includes a number of built-in handlers that provide common functionality. It also provides the ability to create custom handlers, which can be used to replace custom valve functionality.

You can still go this route for complex situations however now in utilizing Undertow add response headers been simplified as you can just add custom headers to the JBoss Undertow Subsystem, you're filters section will change from this:

<filters>
    <response-header name="server-header" header-name="Server" header-value="JBoss-EAP/7"/>
    <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>

To this:

<filters>
    <response-header name="server-header" header-name="Server" header-value="JBoss-EAP/7"/>
    <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
    <!-- Begin custom Headers -->
    <response-header name="x-xss-protection" header-name="X-XSS-Protection" header-value=""/>
    <response-header name="x-frame-options" header-name="X-Frame-Options" header-value=""/>
    <response-header name="strict-transport-security" header-name="Strict-Transport-Security" header-value=""/>
    <response-header name="content-security-policy" header-name="Content-Security-Policy" header-value=""/>
    <response-header name="x-Content-type-options" header-name="X-Content-Type-Options" header-value=""/>
</filters>

I'll leave it up to everyone else to determine the values they'd like to place for the headers (save some editing during copy/paste)