Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable default spring security headers, allow spring cloud gateway to manage them #173

Merged
merged 3 commits into from
Feb 4, 2025
Merged

Disable default spring security headers, allow spring cloud gateway to manage them #173

merged 3 commits into from
Feb 4, 2025

Conversation

groldan
Copy link
Member

@groldan groldan commented Jan 31, 2025

This patch disables the Spring Boot default security headers in
org.georchestra.gateway.security.GatewaySecurityConfiguration.

The default Spring Boot security headers, and the Spring Cloud Gateway
security headers handling are two different things, and the former was
preventing the later from taking over the configuration.

The sample configuration in datadir/application.yaml disables x-frame-options and x-content-type options response headers.
It is a two step process, by one side, we need to remove the headers from downstream service responses,
by adding a RemoveResponseHeader default filter for each response header to remove.
On the other hand, the gateway's corresponding secure headers have to be disabled
(see spring.cloud.gateway.filter.secure-headers.disable.*)

For example:

spring:
  cloud:
    gateway:
      default-filters:
      - SecureHeaders # add security-related HTTP headers to responses sent from the gateway to clients. See https://blog.appcanary.com/2017/http-security-headers.html
      - TokenRelay # propagates OAuth2 access tokens from incoming requests to downstream services
      - RemoveSecurityHeaders # removing incoming sec-* headers to prevent impresionation
      - AddSecHeaders # append resolved sec-* headers to proxied requests based on the currently authenticated user
      - PreserveHostHeader # ensure that the original Host header from the incoming HTTP request is preserved and passed along to the downstream service
      - ApplicationError # use gateway's custom error pages when a downstream request returns an error code
      - LoginParamRedirect # redirect to /login if the request contains a ?login query param and is not already authenticated
      - RemoveResponseHeader=X-Content-Type-Options # remove unwanted response header from downstream services
      - RemoveResponseHeader=X-Frame-Options # remove unwanted response header from downstream services
      filter:
        secure-headers:
          enabled: true
          disable:
          # NOTE: header names must be lower-case
          - x-frame-options
          - x-content-type-options

@groldan
Remove unknown config properties
ba6f550
@groldan
Add echo server to dev composition
7d5f180
@groldan
Disable default spring security headers, allow spring cloud gateway t…
8736400 
…o manage them

This patch disables the Spring Boot default security headers in
`org.georchestra.gateway.security.GatewaySecurityConfiguration`.

The default Spring Boot security headers, and the Spring Cloud Gateway
security headers handling are two different things, and the former was
preventing the later from taking over the configuration.

The sample configuration in `datadir/application.yaml` disables x-frame-options and x-content-type options response headers.
It is a two step process, by one side, we need to remove the headers from downstream service responses,
by adding a RemoveResponseHeader default filter for each response header to remove.
On the other hand, the gateway's corresponding secure headers have to be disabled
(see spring.cloud.gateway.filter.secure-headers.disable.*)

For example:

```
spring:
  cloud:
    gateway:
      default-filters:
      - SecureHeaders # add security-related HTTP headers to responses sent from the gateway to clients. See https://blog.appcanary.com/2017/http-security-headers.html
      - TokenRelay # propagates OAuth2 access tokens from incoming requests to downstream services
      - RemoveSecurityHeaders # removing incoming sec-* headers to prevent impresionation
      - AddSecHeaders # append resolved sec-* headers to proxied requests based on the currently authenticated user
      - PreserveHostHeader # ensure that the original Host header from the incoming HTTP request is preserved and passed along to the downstream service
      - ApplicationError # use gateway's custom error pages when a downstream request returns an error code
      - LoginParamRedirect # redirect to /login if the request contains a ?login query param and is not already authenticated
      - RemoveResponseHeader=X-Content-Type-Options # remove unwanted response header from downstream services
      - RemoveResponseHeader=X-Frame-Options # remove unwanted response header from downstream services
      filter:
        secure-headers:
          enabled: true
          disable:
          # NOTE: header names must be lower-case
          - x-frame-options
          - x-content-type-options
```
@groldan groldan merged commit c699b3b into main Feb 4, 2025
3 checks passed
@groldan groldan deleted the GSMEL-647 branch February 4, 2025 15:55
@github-actions GitHub Actions
Copy link

💔 All backports failed

Status Branch Result
1.1.x Backport failed because of merge conflicts

Manual backport

To create the backport manually run:

backport --pr 173

Questions ?

Please refer to the Backport tool documentation and see the Github Action logs for details

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@edevosc2c edevosc2c edevosc2c approved these changes

Assignees
No one assigned
Labels
backport-to-1.1.x
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@groldan @edevosc2c @f-necas