Modifying HTTP Response Headers The default response headers are configured in the application server configuration file and can be modified.
JBoss EAP On JBoss EAP application servers, the configuration file is <Orchestra>/system/app/jboss-eap-6.3/standalone/configuration/standalone-full.xml .
Locate the following section and modify the responseHeaderValue parameters (in bold below).
To disable a response-header, comment out or remove the entire <valve> tag
Save the file and restart Orchestra to apply the changes.
….
<valve name="xContentTypeOptions" module="qmatic-valve-lib" class-name="com.qmatic.httpresponse.HttpResponseHeaderValve">
<param param-name="responseHeaderName" param-value="X-Content-Type-Options"/>
<param param-name="responseHeaderValue" param-value="nosniff "/>
</valve>
<valve name="contentSecurityPolicy" module="qmatic-valve-lib" class-name="com.qmatic.httpresponse.HttpResponseHeaderValve">
<param param-name="responseHeaderName" param-value="Content-Security-Policy"/>
<param param-name="responseHeaderValue" param-value="* "/>
</valve>
<valve name="xXssProtection" module="qmatic-valve-lib" class-name="com.qmatic.httpresponse.HttpResponseHeaderValve">
<param param-name="responseHeaderName" param-value="X-XSS-Protection"/>
<param param-name="responseHeaderValue" param-value="1 "/>
</valve>
<valve name="strictTransportSecurity" module="qmatic-valve-lib" class-name="com.qmatic.httpresponse.HttpResponseHeaderValve">
<param param-name="responseHeaderName" param-value="Strict-Transport-Security"/>
<param param-name="responseHeaderValue" param-value="max-age=31536000; includeSubDomains "/>
</valve>
<valve name="xFrameOptions" module="qmatic-valve-lib" class-name="com.qmatic.httpresponse.HttpResponseHeaderValve">
<param param-name="responseHeaderName" param-value="X-Frame-Options"/>
<param param-name="responseHeaderValue" param-value="SAMEORIGIN "/>
</valve>
Wildfly On Wildfly application servers, the configuration file is <Orchestra>/system/app/wildfly-8.2.0.Final/standalone/configuration/standalone-full.xml
Locate the following section and modify the responseHeaderValue parameters (in bold below).
To disable a response-header, comment out or remove the entire <response-header> tag together with the corresponding <filter-ref> tag found a few lines above the <response-header> .
Save the file and restart Orchestra to apply the changes.
<filters>
<response-header name="server-header" header-name="Server" header-value="WildFly/8"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
<response-header name="xContentTypeOptions" header-name="X-Content-Type-Options" header-value="nosniff "/>
<response-header name="contentSecurityPolicy" header-name="Content-Security-Policy" header-value="* "/>
<response-header name="xXssProtection" header-name="X-XSS-Protection" header-value="1 "/>
<response-header name="strictTransportSecurity" header-name="Strict-Transport-Security" header-value="max-age=31536000; includeSubDomains "/>
<response-header name="xFrameOptions" header-name="X-Frame-Options" header-value="SAMEORIGIN "/>
<filter name="qmatic-http-method-white-list" class-name="com.qmatic.httpfilter.UndertowWhiteList" module="qmatic-httpfilter-lib"/>
</filters>
HTTP Host Referer Guard The HTTP Host Referer Guard has a parameter called approvedRefererHostnames which is a comma separated list of host names that are excluded from the test in the HTTP Host Referer Guard.
The guard has been given a default parameter value of cf.qmatic.cloud in the file standalone-full.xml . Add to that value, e.g use cf.qmatic.cloud, anotherhostname instead of cf.qmatic.cloud , if you want to.
The syntax differs somewhat between JBoss and Wildfly, as is described below.
JBoss
<valve name="refererHostHttpGuard" module="qmatic-valve-lib" class-name="com.qmatic.jboss.web.valve.HttpHostRefererGuard">
<param param-name="approvedRefererHostnames" param-value="cf.qmatic.cloud"/>
</valve>
Wildfly
<filter name="qmatic-referer-host-http-guard" class-name="com.qmatic.httpfilter.HttpHostRefererGuard" module="qmatic-httpfilter-lib">
<param name="approvedRefererHostnames" value="cf.qmatic.cloud"/>
</filter>
This site works best with JavaScript enabled