Configure HTTP headers for Jboss Admin Console URL

Question

When configuring the filters in undertow to apply some http response headers, the headers are appearing only for the http & https ports, not for the management-http & management-https ports. Is there any way to configure the same for management console as well? Below is my current configuration

        <subsystem xmlns="urn:jboss:domain:undertow:7.0">
            <buffer-cache name="default"/>
            <server name="default-server">
                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
                <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true" enabled-protocols="TLSv1.2" />
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <filter-ref name="server-header"/>
                    <filter-ref name="x-powered-by-header"/>
                    <filter-ref name="x-xss-protection"/>
                    <filter-ref name="x-content-type-options"/>
                    <filter-ref name="strict-transport-security"/>
                    <http-invoker security-realm="ApplicationRealm"/>
                </host>
            </server>
            <servlet-container name="default">
                <jsp-config/>
                <websockets/>
            </servlet-container>
            <handlers>
                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
            </handlers>
            <filters>
                <response-header name="server-header" header-name="Server" header-value="JBoss-EAP/7"/>
                <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
                <response-header name="x-xss-protection" header-name="X-XSS-Protection" header-value="1; mode=block"/>
                <response-header name="x-content-type-options" header-name="X-Content-Type-Options" header-value="nosniff"/>
                <response-header name="strict-transport-security" header-name="Strict-Transport-Security" header-value="max-age=31536000; includeSubDomains"/>
            </filters>
        </subsystem>

Header for Management/Admin Console:

Header for Application:

the management server is not exposed by the undertow subsystem. — ehsavoie, Jul 22 '20 at 14:13
What hreaders do you need / want ? I'm not sure this is currently easily achievable. — ehsavoie, Jul 23 '20 at 08:15
for instance, I want to add X-XSS-Protection: 1; mode=block for admin console as well. — Biswadip Dey, Jul 23 '20 at 08:26
I think I was wrong you can use https://docs.wildfly.org/20/wildscribe/core-service/management/management-interface/http-interface/index.html#attr-constant-headers — ehsavoie, Jul 24 '20 at 08:12
Thanks for the link, @ehsavoie, but not able to figure out how to add it to the domain.xml file; please help if you can share some samples. — deenaik, Jun 30 '21 at 14:29
@deenaik this feature is available from EAP 7.3 https://access.redhat.com/solutions/4711131 — Biswadip Dey, Jul 12 '21 at 15:55

score 0 · Answer 1 · answered Jul 12 '21 at 16:04

This feature is available from JBOSS EAP 7.3. For standalone mode configuration,

    <management-interfaces>
        <http-interface security-realm="ManagementRealm">
            <http-upgrade enabled="true"/>
            <socket-binding http="management-http"/>
            <constant-headers>
                <header-mapping path="/management">
                    <header name="X-Header" value="HeaderValue"/>
                </header-mapping>
                <header-mapping path="/management">
                    <header name="Y-Header" value="HeaderValue2"/>
                </header-mapping>
            </constant-headers>
        </http-interface>
    </management-interfaces>

For domain mode configuration in host.xml,

    <management-interfaces>
        <http-interface security-realm="ManagementRealm">
            <http-upgrade enabled="true"/>
            <socket interface="management" port="${jboss.management.http.port:9990}"/>
            <constant-headers>
                <header-mapping path="/management">
                    <header name="X-Header" value="HeaderValue"/>
                </header-mapping>
                <header-mapping path="/management">
                    <header name="Y-Header" value="HeaderValue2"/>
                </header-mapping>
            </constant-headers>
        </http-interface>
    </management-interfaces>

I'm running EAP 3.7.3 but when I add the constant-headers in standalone.xml I get "'constant-headers' isn't an allowed element here". Any ideas why? — D Rickard, Mar 10 '22 at 00:20
Check the tag if you are accessing management console using context root /console then the tag would be — Biswadip Dey, Mar 15 '22 at 17:24

Configure HTTP headers for Jboss Admin Console URL

1 Answers1