Any configuration to disable http header from JBoss EAP 7.3.8 GA

[Eric Lee]

We have a web app from a vendor, and we don't have any source codes, now we faced a  vulnerability about  HTTP Method Override, is there any configuratoin can disable or remove http header X-HTTP-METHOD / X-HTTP-Method-Override / X-METHOD-OVERRIDE, just modify config file such as web.xml or JBoss standalone.xml ?

Many thanks.

[Paul Ferraro]

The Undertow subsystem has a response-header filter, but unfortunately, it can only be used to add response headers - not remove them.

You could, however, write your own filter, package it within a module, and specify a custom-filter with your module and class-name.

e.g.

public class RemoveResponseHeaderFilter implements io.undertow.server.HttpHandler {

   private final HttpHandler next;

   private volatile String headerName;

   public RemoveResponseHeaderFilter(HttpHandler next) {

       this.next = next;

   }

   public void setHeaderName(String name) {

      this.headerName = name;

   }

   @Override
   public void handleRequest(final HttpServerExchange exchange) throws Exception {

      try {

         String name = this.headerName;

         if (name != null) {

            exchange.getResponseHeaders().remove(name);

         }

      } finally {

         this.next.handleRequest(exchange);

      }

   }

}

Then add the requisite filters to your undertow subsystem:

<filters>

   <custom-filter name="remove-x-http-method" module="foo.bar" class-name="foo.bar.RemoveResponseHeaderFilter">

      <param name="headerName" value="X-HTTP-METHOD">

   </custom-filter>

   <custom-filter name="remove-x-method-override" module="foo.bar" class-name="foo.bar.RemoveResponseHeaderFilter">

      <param name="headerName" value="X-METHOD-OVERRIDE">

   </custom-filter>

</filter>

And reference them within the appropriate host:

<host name="default-host">

   <!-- ... -->

   <filter-ref name="remove-x-http-method"/>

   <filter-ref name="remove-x-method-override"/>

</host>

Otherwise, assuming that your WildFly instance(s) sit(s) behind a reverse-proxy/load-balancer and does not use TLS passthrough, this kind of thing can often be configured there.