Appendix C - Security : Modifying HTTP Response Headers
  

Modifying HTTP Response Headers

The default response headers are configured in the application server configuration file and can be modified.

JBoss EAP

On JBoss EAP application servers, the configuration file is <Orchestra>/system/app/jboss-eap-6.3/standalone/configuration/standalone-full.xml.
Locate the following section and modify the responseHeaderValue parameters (in bold below).
To disable a response-header, comment out or remove the entire <valve> tag
Save the file and restart Orchestra to apply the changes.
….
<valve name="xContentTypeOptions" module="qmatic-valve-lib" class-name="com.qmatic.httpresponse.HttpResponseHeaderValve">
<param param-name="responseHeaderName" param-value="X-Content-Type-Options"/>
<param param-name="responseHeaderValue" param-value="nosniff"/>
</valve>
<valve name="contentSecurityPolicy" module="qmatic-valve-lib" class-name="com.qmatic.httpresponse.HttpResponseHeaderValve">
<param param-name="responseHeaderName" param-value="Content-Security-Policy"/>
<param param-name="responseHeaderValue" param-value="*"/>
</valve>
<valve name="xXssProtection" module="qmatic-valve-lib" class-name="com.qmatic.httpresponse.HttpResponseHeaderValve">
<param param-name="responseHeaderName" param-value="X-XSS-Protection"/>
<param param-name="responseHeaderValue" param-value="1"/>
</valve>
<valve name="strictTransportSecurity" module="qmatic-valve-lib" class-name="com.qmatic.httpresponse.HttpResponseHeaderValve">
<param param-name="responseHeaderName" param-value="Strict-Transport-Security"/>
<param param-name="responseHeaderValue" param-value="max-age=31536000; includeSubDomains"/>
</valve>
<valve name="xFrameOptions" module="qmatic-valve-lib" class-name="com.qmatic.httpresponse.HttpResponseHeaderValve">
<param param-name="responseHeaderName" param-value="X-Frame-Options"/>
<param param-name="responseHeaderValue" param-value="SAMEORIGIN"/>
</valve>
….
 

Wildfly

On Wildfly application servers, the configuration file is <Orchestra>/system/app/wildfly-8.2.0.Final/standalone/configuration/standalone-full.xml
Locate the following section and modify the responseHeaderValue parameters (in bold below).
To disable a response-header, comment out or remove the entire <response-header> tag together with the corresponding <filter-ref> tag found a few lines above the <response-header>.
Save the file and restart Orchestra to apply the changes.
<filters>
<response-header name="server-header" header-name="Server" header-value="WildFly/8"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
<response-header name="xContentTypeOptions" header-name="X-Content-Type-Options" header-value="nosniff"/>
<response-header name="contentSecurityPolicy" header-name="Content-Security-Policy" header-value="*"/>
<response-header name="xXssProtection" header-name="X-XSS-Protection" header-value="1"/>
<response-header name="strictTransportSecurity" header-name="Strict-Transport-Security" header-value="max-age=31536000; includeSubDomains"/>
<response-header name="xFrameOptions" header-name="X-Frame-Options" header-value="SAMEORIGIN"/>
<filter name="qmatic-http-method-white-list" class-name="com.qmatic.httpfilter.UndertowWhiteList" module="qmatic-httpfilter-lib"/>
</filters>