Modifying HTTP Response Headers

Appendix C - Security : Modifying HTTP Response Headers

Modifying HTTP Response Headers

The default response headers are configured in the application server configuration file and can be modified.

Wildfly

On Wildfly application servers, the configuration file is <Orchestra>/system/app/wildfly-11.0.0.Final/standalone/configuration/standalone-full.xml

Locate the following section and modify the responseHeaderValue parameters (in bold below).

To disable a response-header, comment out or remove the entire <response-header> tag together with the corresponding <filter-ref> tag found a few lines above the <response-header>.

Save the file and restart Orchestra to apply the changes.

<response-header name="server-header" header-name="Server" header-value="WildFly/8"/>

<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>

<response-header name="xContentTypeOptions" header-name="X-Content-Type-Options" header-value="nosniff"/>

<response-header name="contentSecurityPolicy" header-name="Content-Security-Policy" header-value="*"/>

<response-header name="xXssProtection" header-name="X-XSS-Protection" header-value="1"/>

<response-header name="strictTransportSecurity" header-name="Strict-Transport-Security" header-value="max-age=31536000; includeSubDomains"/>

<response-header name="xFrameOptions" header-name="X-Frame-Options" header-value="SAMEORIGIN"/>

</filters>

HTTP Host Referer Guard

The HTTP Host Referer Guard has a parameter called approvedRefererHostnames which is a comma separated list of host names that are excluded from the test in the HTTP Host Referer Guard.

The guard has been given a default parameter value of cf.qmatic.cloud in the file standalone-full.xml. Add to that value, e.g use cf.qmatic.cloud, anotherhostname instead of cf.qmatic.cloud, if you want to.

The syntax for Wildfly is described below.

Wildfly

</filter>