Running an AdminUI, multiple HTTP Security Headers are not detected with out of box 12.8 AdminUI installation.
The browser doesn't receive these headers.
The HTTP Headers missing on port 8443:
When accessing https://adminui.example.com:8443, using developer tools, and viewing response headers, the "Response Headers" has none of the above headers set:
AdminUI 12.8
The 3rd party software WildFly (AdminUI prerequisites) doesn't have these settings enabled out of box, depending upon the version used.
To enable those Response Headers, follow these steps to edit the AdminUI (WAMUI) configuration:
<server name="default-server">
<http-listener name="default" socket-binding="http"/>
<https-listener enabled-cipher-suites="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA" enabled-protocols="TLSv1.1,TLSv1.2" name="https" security-realm="SSLRealm" socket-binding="https"/>
<host alias="localhost" name="default-host">
<location handler="welcome-content" name="/"/>
<filter-ref name="server-header"/>
<filter-ref name="x-frame-options"/>
<filter-ref name="x-xss-protection"/>
<filter-ref name="strict-transport-security"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="WildFly/8"/>
<response-header name="x-frame-options" header-name="X-Frame-Options" header-value="SAMEORIGIN"/>
<response-header name="x-xss-protection" header-name="X-XSS-Protection" header-value="1; mode=block"/>
<response-header name="strict-transport-security" header-name="Strict-Transport-Security" header-value="max-age=31536000; includeSubDomains;"/>
</filters>