Http response header configuration is not working in Kafka rest proxy and schema registry

[killerfish16]

For of all Apologies, if this is not the right forum to raise this issue.

Please reject if this is not the right forum.

We are using confluent platform 5.3.1 community edition.

Recently as part of security scan we have got missing http header (X-XSS-Protection,X-Content-Type-Options) security vulnerability for Kafka rest proxy and schema registry services.

As per the confluent documentation, we can add response.http.headers.config property in the config to add/set the required header.

https://docs.confluent.io/platform/current/kafka-rest/production-deployment/rest-proxy/config.html https://docs.confluent.io/platform/current/schema-registry/installation/config.html

We have added the config in the respective configuration file and restarted the services.

Lines added in the config

Rest proxy

response.http.headers.config=add X-XSS-Protection: 1; mode=block, add X-Content-Type-Options: nosniff

Schema Registry

response.http.headers.config="add Cache-Control: no-cache, no-store, must-revalidate", add X-XSS-Protection: 1; mode=block, add Strict-Transport-Security: max-age=31536000; includeSubDomains, add X-Content-Type-Options: nosniff

After restarting the services, we expected to receive additional http response headers in the response, but still we aren't getting those headers.

Request: Get: http://xxxx:8082/

Response Headers
Date: Mon, 11 Jan 2021 14:13:58 GMT
Content-Type: application/vnd.kafka.v1+json
Vary: Accept-Encoding, User-Agent
Content-Length: 2
Server: Jetty(9.4.18.v20190429)

Any suggestion to get those missing headers in the response.? Thanks in Advance

[rigelbm]

This feature was added in Confluent Platform 6.0. You won't be able to use it in Confluent Platform 5.3.

[killerfish16]

Yes, this works fine from 6.0