Critical Description
When xframe-options.enabled param is set to true in WebAppSec provider, the same is not reflecting in HTTP response header. See attached screenshot here.
.
Also X-XSRF-Header param is not effective and curl calls without X-XSRF-Header are also passing through. e.g.
$ curl -iku admin:admin-password https://localhost:8443/gateway/admin/api/v1/version HTTP/1.1 200 OK Date: Thu, 07 Sep 2017 16:57:27 GMT Set-Cookie: JSESSIONID=169y7xds1o2ga3mvrbtly6t77;Path=/gateway/admin;Secure;HttpOnly Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: rememberMe=deleteMe; Path=/gateway/admin; Max-Age=0; Expires=Wed, 06-Sep-2017 16:57:27 GMT Content-Type: application/xml Content-Length: 167 Server: Jetty(9.2.15.v20160210) <?xml version="1.0" encoding="UTF-8"?> <ServerVersion> <version>0.14.0-SNAPSHOT</version> <hash>6657f2fd9f52c8303fc9a2d1d72eef38be719288</hash> </ServerVersion>
Related topology config
<provider> <role>webappsec</role> <name>WebAppSec</name> <enabled>true</enabled> <param> <name>csrf.enabled</name> <value>true</value> </param> <param> <name>csrf.customHeader</name> <value>X-XSRF-Header</value> </param> <param> <name>csrf.methodsToIgnore</name> <value>GET,OPTIONS,HEAD</value> </param> <param> <name>cors.enabled</name> <value>true</value> </param> <param> <name>xframe-options.enabled</name> <value>true</value> </param> </provider>
