(felix-dev) branch master updated: Update README.md

Wed, 26 Mar 2025 11:11:34 -0700 

This is an automated email from the ASF dual-hosted git repository.

cziegeler pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/felix-dev.git


The following commit(s) were added to refs/heads/master by this push:
     new 8c13ebd350 Update README.md
8c13ebd350 is described below

commit 8c13ebd350d437a584b17e43dba6b007323abb99
Author: Carsten Ziegeler <cziege...@apache.org>
AuthorDate: Wed Mar 26 17:53:57 2025 +0100

    Update README.md
---
 webconsole/README.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/webconsole/README.md b/webconsole/README.md
index 2f492d2a02..c1412768c6 100644
--- a/webconsole/README.md
+++ b/webconsole/README.md
@@ -18,6 +18,9 @@ The required dependencies are:
 
 The installation of the web console is straight forward. Provide an OSGi 
Framework with the mentioned required dependenices and install the bundle.
 
+**Important:** The webconsole does not provide a CSRF protection out of the 
box! Therefore it is advisable to install additional software to protect the 
webconsole. For example the bundle from [Apache Sling 
Security](https://github.com/apache/sling-org-apache-sling-security) provides 
this additional protection. Make sure to use the latest version (1.3.0 or 
higher).
+
+
 ## Configuration
 
 The Web Console can be configured via framework properties as well as via a 
configuration through the OSGi Configuration Admin Service. The framework 
properties can be used in case your runtime does not provide a OSGi 
Configuration Admin Service.
@@ -56,6 +59,8 @@ Please note that setting any of these properties as framework 
property makes the
 
 ## Security
 
+**Important:** The webconsole does not provide a CSRF protection out of the 
box! Therefore it is advisable to install additional software to protect the 
webconsole. For example the bundle from [Apache Sling 
Security](https://github.com/apache/sling-org-apache-sling-security) provides 
this additional protection. Make sure to use the latest version (1.3.0 or 
higher).
+
 The Web Console only has very basic security at the moment supporting only 
HTTP Basic authentication. This security is enabled by default and may be 
disabled by simply clearing the `username` property.
 
 To enhance the security of the Web Console you are strongly encouraged to 
change at least the `password` for the admin user.

Reply via email to