spring-cloud/spring-cloud-dataflow

Dashboard: Allow User to specify http security headers that should be used

Opened this issue · 0 comments

Problem description:
Right now the Spring Cloud Data Flow does not send important HTTP security headers to a client, such as

  • x-content-type-options = nosniff
  • x-frame-options = DENY
  • x-xss-protection = "1; mode=block"
  • strict-transport-security = "max-age=31536000; includeSubDomains"
  • content-security-policy = "default-src 'self'"
  • referrer-policy = no-referrer

Solution description:
Maybe a simple application property, which allows you to activate/declare them would be awesome. Example:

/bin/java -jar spring-cloud-dataflow-server.jar --security.headers.x-content-type-options=nosniff \
                                                --security.headers.x-frame-options=DENY \
                                                --security.headers.x-xss-protection="1; mode=block" \
                                                --security.headers.strict-transport-security="max-age=31536000; includeSubDomains" \
                                                --security.headers.content-security-policy="default-src 'self'" \
                                                --security.headers.referrer-policy=no-referrer

Description of alternatives:
An alternative would be that Spring Cloud Data Flow would have these security headers enabled by default, once an SSL configuration is used.

Additional context:
-