Krishna Pandey created KNOX-1028: ------------------------------------ Summary: X-Frame-Options and other security headers are ineffective Key: KNOX-1028 URL: https://issues.apache.org/jira/browse/KNOX-1028 Project: Apache Knox Issue Type: Bug Components: Server Affects Versions: 0.13.0, 0.14.0 Reporter: Krishna Pandey Priority: Critical Attachments: Screen Shot 2017-09-07 at 10.31.20 PM.png
When xframe-options.enabled param is set to true in WebAppSec provider, the same is not reflecting in HTTP response header. See attached screenshot here !Screen Shot 2017-09-07 at 10.31.20 PM.png|thumbnail! . Also X-XSRF-Header param is not effective and curl calls without X-XSRF-Header are also passing through. e.g. {code:java} $ curl -iku admin:admin-password https://localhost:8443/gateway/admin/api/v1/version HTTP/1.1 200 OK Date: Thu, 07 Sep 2017 16:57:27 GMT Set-Cookie: JSESSIONID=169y7xds1o2ga3mvrbtly6t77;Path=/gateway/admin;Secure;HttpOnly Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: rememberMe=deleteMe; Path=/gateway/admin; Max-Age=0; Expires=Wed, 06-Sep-2017 16:57:27 GMT Content-Type: application/xml Content-Length: 167 Server: Jetty(9.2.15.v20160210) <?xml version="1.0" encoding="UTF-8"?> <ServerVersion> <version>0.14.0-SNAPSHOT</version> <hash>6657f2fd9f52c8303fc9a2d1d72eef38be719288</hash> </ServerVersion> {code} Related topology config {noformat} <provider> <role>webappsec</role> <name>WebAppSec</name> <enabled>true</enabled> <param> <name>csrf.enabled</name> <value>true</value> </param> <param> <name>csrf.customHeader</name> <value>X-XSRF-Header</value> </param> <param> <name>csrf.methodsToIgnore</name> <value>GET,OPTIONS,HEAD</value> </param> <param> <name>cors.enabled</name> <value>true</value> </param> <param> <name>xframe-options.enabled</name> <value>true</value> </param> </provider> {noformat} -- This message was sent by Atlassian JIRA (v6.4.14#64029)