Hide/expose HTTP headers in Wildfly 10.1+

Goal

Configure Wildfly to expose/hide specific HTTP headers

Description

In one of my most recent projects, after a security team analysis, we were asked to hide the server and x-powered-by headers.

Because this is a recommended and safer practice, I will start configuring Wildfly that way. This recipe, explains how to do it.

How to

Open your standalone.xml, go to the subsystem urn:jboss:domain:undertow:3.1 and comment the filter-ref and filters sections as follows:

<subsystem xmlns="urn:jboss:domain:undertow:3.1">
  ...
    <host name="default-host" alias="localhost">
      <location name="/" handler="welcome-content"/>
<!--
      <filter-ref name="server-header"/>
      <filter-ref name="x-powered-by-header"/>
-->
    </host>
  ...
  <filters>
<!--
    <response-header name="server-header" header-name="Server" header-value="WildFly/10"/>
    <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
-->
  </filters>
</subsystem>

Similarly, if we wanted to expose another (custom) HTTP header in all requests, we could do it as follows:

<subsystem xmlns="urn:jboss:domain:undertow:3.1">
  ...
    <host name="default-host" alias="localhost">
      <location name="/" handler="welcome-content"/>
      <filter-ref name="x-my-custom-header"/>
    </host>
  ...
  <filters>
    <response-header name="x-my-custom-header" header-name="x-my-custom-header" header-value="Paulo Zenida"/>
  </filters>
</subsystem>

Explanations

With the configuration proposed, Wildfly will not set those headers anymore. Hiding information from Hackers, namely the Application server that is serving the application is a good security measure. Therefore, I recommend you to do this kind of configuration for all your projects running in Wildfly from now on.

Advertisements

2 comments

  1. How do you add the new custom headers using wildfly’s Command Line Interface (CLI)? This is how many people manage their wildfly instance.

    For example, the 1st comment on this post: http://blog.pikodat.com/2016/01/22/remove-server-and-x-powered-by-headers-in-wildfly/, explains how to remove the server-header and x-powered-by-header using CLI.

    If anyone knows of an article explaining how to add http headers this way, please reply to this comment. Thx

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s