How do you set the X-XSS-Protection: 1; mode=BLOCK. Internal framework filter?
Article ID: 408297
Updated On:
Products
Issue/Introduction
How to set X-XSS-Protection: 1; mode=BLOCK Internal framework filter to remedy the vulnerability:
Identity Portal - Missing Security Header – Content Security Policy (CSP)
Resolution
There is a way to remediate this vulnerability via jbosscli commands. Run the steps below and rescan the system after performing the steps to confirm remediation.
Log on to the IM Vapp node with the config user
Enter the command: tmux
Enter the command: sudo /opt/CA/wildfly-idm/bin/add-user.sh
Enter a and press enter
Username: jbossmgr or desired username
Password: [Desired Password]
You will encounter this question: What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[ ]:
Press Enter to leave it blank and proceed
You will encounter this question: About to add user 'jbossmgr' for realm 'ManagementRealm' is this correct yes/no?
Enter yes
You will encounter this question: Is this new user going to be used for one AS process to connect to another AS process? e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls. yes/no?
Enter no
Enter the command: cd /opt/CA/wildfly-idm/bin/
Enter the command: ./jboss-cli.sh
Type connect and press enter
Enter the credentials with the username jbossmgr and password
Once logged in, run the following commands (copy onto the command line and press enter for each one, confirm success message before moving on to the next command):
Confirm the undertow exists:
/subsystem=undertow/configuration=filter:read-resource
It should show outcome => success
If it doesn't, add it
/subsystem=undertow/configuration=filter:add
Define the Response Header Filter:
/subsystem=undertow/configuration=filter/response-header=x-xss-protection:add(header-name="X-XSS-Protection", header-value="1; mode=block")
Explanation:
This command creates a new response-header filter named x-xss-protection within the undertow subsystem's filter configuration. It specifies the header-name as "X-XSS-Protection" and the header-value as "1; mode=block".
Add the Filter Reference to the Host:
/subsystem=undertow/server=default-server/host=default-host/filter-ref=x-xss-protection:add()
Explanation:
This command links the previously defined x-xss-protection filter to the default-host of the default-server in the undertow subsystem. This ensures that the header will be applied to responses served by this host and should remediate the vulnerability
After executing these commands, you need to restart the WildFly instance (stop_im,start_im) for the changes to take effect. This will need to be done on each Wildfly node independently.
References:
Feedback
