Dashboard: Allow User to specify http security headers that should be used
Opened this issue · 0 comments
r-heimann commented
Problem description:
Right now the Spring Cloud Data Flow does not send important HTTP security headers to a client, such as
- x-content-type-options = nosniff
- x-frame-options = DENY
- x-xss-protection = "1; mode=block"
- strict-transport-security = "max-age=31536000; includeSubDomains"
- content-security-policy = "default-src 'self'"
- referrer-policy = no-referrer
Solution description:
Maybe a simple application property, which allows you to activate/declare them would be awesome. Example:
/bin/java -jar spring-cloud-dataflow-server.jar --security.headers.x-content-type-options=nosniff \
--security.headers.x-frame-options=DENY \
--security.headers.x-xss-protection="1; mode=block" \
--security.headers.strict-transport-security="max-age=31536000; includeSubDomains" \
--security.headers.content-security-policy="default-src 'self'" \
--security.headers.referrer-policy=no-referrer
Description of alternatives:
An alternative would be that Spring Cloud Data Flow would have these security headers enabled by default, once an SSL configuration is used.
Additional context:
-