Bug 1729570 - OpenShift Console missing X-XSS-Protection header.
Summary: OpenShift Console missing X-XSS-Protection header.
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-apiserver
Version: 3.11.0
Hardware: All
OS: All
Target Milestone: ---
: 4.3.0
Assignee: Stefan Schimanski
QA Contact: Xingxing Xia
Depends On:
TreeView+ depends on / blocked
Reported: 2019-07-12 16:28 UTC by Dan Yocum
Modified: 2020-12-03 05:01 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-11-07 09:08:23 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Dan Yocum 2019-07-12 16:28:45 UTC
Description of problem:

Customer is reporting that their pentests are failing (low severity) because the X-XSS-Protection header (to prevent cross-site scripting attacks) is missing on the OpenShift console.

Version-Release number of selected component (if applicable):

All 3.x

How reproducible:


Steps to Reproduce:
1. pentest the console using Kali

Actual results:

X-XSS-Protection header test fails

Expected results:

X-XSS-Protection header test succeeds

Additional info:

Comment 4 Samuel Padgett 2019-07-12 17:22:56 UTC
What HTTP response specifically is missing this header? Both the 3.11 and 4.1 web consoles do have it set.

Comment 10 Samuel Padgett 2019-07-25 12:09:01 UTC
This response comes from the API server. Updating the component. The console itself has the header.

Note You need to log in before you can comment on or make changes to this bug.