在 JBoss EAP 7 中配置 Http Headers
Configure Http Headers in JBoss EAP 7
您知道是否有标准方法来配置 JBoss EAP 7 发送给客户端的 Http Headers?
我主要对能够配置以下内容感兴趣:
- X-XSS-Protection
- X-Frame-Options
- Strict-Transport-Security
- Content-Security-Policy
- X-Content-Type-Options
我在网上找到了这个link
https://blog.akquinet.de/2017/08/03/wildfly-8-10-and-jboss-eap-7-verbose-http-headers/
但我不确定是否可以将它用于我感兴趣的headers
谢谢!
根据 JBoss EAP 7 文档:
Previous releases of JBoss EAP supported valves. Valves are custom classes inserted into the request processing pipeline for an application before servlet filters to make changes to the request or perform additional processing. Global valves are inserted into the request processing pipeline of all deployed applications. Authenticator valves authenticate the credentials of the request. Valves were created by extending the org.apache.catalina.valves.ValveBase class and configured in the element of the jboss-web.xml descriptor file.
Undertow, which replaces JBoss Web in JBoss EAP 7, does not support valves; however, you should be able to achieve similar functionality by using Undertow handlers. Undertow includes a number of built-in handlers that provide common functionality. It also provides the ability to create custom handlers, which can be used to replace custom valve functionality.
你仍然可以在复杂的情况下走这条路,但是现在在使用 Undertow 时添加响应 headers 已经简化,因为你只需将自定义 headers 添加到 JBoss Undertow 子系统,你're 过滤器部分将从此更改:
<filters>
<response-header name="server-header" header-name="Server" header-value="JBoss-EAP/7"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
对此:
<filters>
<response-header name="server-header" header-name="Server" header-value="JBoss-EAP/7"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
<!-- Begin custom Headers -->
<response-header name="x-xss-protection" header-name="X-XSS-Protection" header-value=""/>
<response-header name="x-frame-options" header-name="X-Frame-Options" header-value=""/>
<response-header name="strict-transport-security" header-name="Strict-Transport-Security" header-value=""/>
<response-header name="content-security-policy" header-name="Content-Security-Policy" header-value=""/>
<response-header name="x-Content-type-options" header-name="X-Content-Type-Options" header-value=""/>
</filters>
我会把它留给其他人来确定他们想要为 headers 设置的值(在 copy/paste 期间保存一些编辑)
查看 Jboss EAP 7 的 link:
Configuring Filters
在目录 JBoss EAP 7 中打开您的 standalone.xml 并在此 urn:jboss:domain:undertow 中搜索“ =27=],然后添加您的自定义过滤规则,例如:
<filters>
<response-header name="server-header" header-name="Server" header-value="JBoss-EAP/7"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
<!--your custom rules in detail-->
<response-header name="x-frame-options" header-name="X-Frame-Options" header-value=""/>
</filters>
不要忘记在
中添加 <filter-ref name="x-frame-options"/>
<subsystem xmlns="urn:jboss:domain:undertow:4.0">
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
<!--declare your custom rules here-->
<filter-ref name="x-frame-options"/>
<single-sign-on http-only="true" secure="true"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</subsystem>
您知道是否有标准方法来配置 JBoss EAP 7 发送给客户端的 Http Headers? 我主要对能够配置以下内容感兴趣:
- X-XSS-Protection
- X-Frame-Options
- Strict-Transport-Security
- Content-Security-Policy
- X-Content-Type-Options
我在网上找到了这个link
https://blog.akquinet.de/2017/08/03/wildfly-8-10-and-jboss-eap-7-verbose-http-headers/
但我不确定是否可以将它用于我感兴趣的headers
谢谢!
根据 JBoss EAP 7 文档:
Previous releases of JBoss EAP supported valves. Valves are custom classes inserted into the request processing pipeline for an application before servlet filters to make changes to the request or perform additional processing. Global valves are inserted into the request processing pipeline of all deployed applications. Authenticator valves authenticate the credentials of the request. Valves were created by extending the org.apache.catalina.valves.ValveBase class and configured in the element of the jboss-web.xml descriptor file.
Undertow, which replaces JBoss Web in JBoss EAP 7, does not support valves; however, you should be able to achieve similar functionality by using Undertow handlers. Undertow includes a number of built-in handlers that provide common functionality. It also provides the ability to create custom handlers, which can be used to replace custom valve functionality.
你仍然可以在复杂的情况下走这条路,但是现在在使用 Undertow 时添加响应 headers 已经简化,因为你只需将自定义 headers 添加到 JBoss Undertow 子系统,你're 过滤器部分将从此更改:
<filters>
<response-header name="server-header" header-name="Server" header-value="JBoss-EAP/7"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
对此:
<filters>
<response-header name="server-header" header-name="Server" header-value="JBoss-EAP/7"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
<!-- Begin custom Headers -->
<response-header name="x-xss-protection" header-name="X-XSS-Protection" header-value=""/>
<response-header name="x-frame-options" header-name="X-Frame-Options" header-value=""/>
<response-header name="strict-transport-security" header-name="Strict-Transport-Security" header-value=""/>
<response-header name="content-security-policy" header-name="Content-Security-Policy" header-value=""/>
<response-header name="x-Content-type-options" header-name="X-Content-Type-Options" header-value=""/>
</filters>
我会把它留给其他人来确定他们想要为 headers 设置的值(在 copy/paste 期间保存一些编辑)
查看 Jboss EAP 7 的 link: Configuring Filters
在目录 JBoss EAP 7 中打开您的 standalone.xml 并在此 urn:jboss:domain:undertow 中搜索“ =27=],然后添加您的自定义过滤规则,例如:
<filters>
<response-header name="server-header" header-name="Server" header-value="JBoss-EAP/7"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
<!--your custom rules in detail-->
<response-header name="x-frame-options" header-name="X-Frame-Options" header-value=""/>
</filters>
不要忘记在
中添加<filter-ref name="x-frame-options"/>
<subsystem xmlns="urn:jboss:domain:undertow:4.0">
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
<!--declare your custom rules here-->
<filter-ref name="x-frame-options"/>
<single-sign-on http-only="true" secure="true"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</subsystem>