Hide/expose HTTP headers in Wildfly 10.1+

Goal

Configure Wildfly to expose/hide specific HTTP headers

Description

In one of my most recent projects, after a security team analysis, we were asked to hide the server and x-powered-by headers.

Because this is a recommended and safer practice, I will start configuring Wildfly that way. This recipe, explains how to do it.

How to

Open your standalone.xml, go to the subsystem urn:jboss:domain:undertow:3.1 and comment the filter-ref and filters sections as follows:

<subsystem xmlns="urn:jboss:domain:undertow:3.1">
  ...
    <host name="default-host" alias="localhost">
      <location name="/" handler="welcome-content"/>
<!--
      <filter-ref name="server-header"/>
      <filter-ref name="x-powered-by-header"/>
-->
    </host>
  ...
  <filters>
<!--
    <response-header name="server-header" header-name="Server" header-value="WildFly/10"/>
    <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
-->
  </filters>
</subsystem>

Similarly, if we wanted to expose another (custom) HTTP header in all requests, we could do it as follows:

<subsystem xmlns="urn:jboss:domain:undertow:3.1">
  ...
    <host name="default-host" alias="localhost">
      <location name="/" handler="welcome-content"/>
      <filter-ref name="x-my-custom-header"/>
    </host>
  ...
  <filters>
    <response-header name="x-my-custom-header" header-name="x-my-custom-header" header-value="Paulo Zenida"/>
  </filters>
</subsystem>

Explanations

With the configuration proposed, Wildfly will not set those headers anymore. Hiding information from Hackers, namely the Application server that is serving the application is a good security measure. Therefore, I recommend you to do this kind of configuration for all your projects running in Wildfly from now on.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s