Details

      Description

      What

      Create an SPI for adding Security Headers to responses.

      How

      Introduce Security Headers SPI, including a default provider.

      Currently, security headers are added in the code, which is error prone. Instead the configured security headers provider should be used to add headers in a JAX-RS response filter.

      The SPI should also support being extended in the future to allow for more strict CSP headers, which means it should support some way of setting up options on how the headers should be applied.

      For now the default provider will use the headers associated with the realm that can be configured directly by the user, but the intent is to eventually get rid of that. A realm should not duplicate default values in the db, and users should not configure the header values directly, but rather have higher-level options on configuring the headers if needed.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  pskopek Peter Skopek
                  Reporter:
                  stianst Stian Thorgersen
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: