Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
welcome/ui
Describe the bug
At the time of login, some Keycloak APIs are missing essential security headers, including Content-Security-Policy (CSP) and Strict-Transport-Security (HSTS). The absence of these headers could pose security risk as clickjacking, man-in-the-middle attacks and content injection vulnerabilities.
Version
26.1.0
Regression
- The issue is a regression
Expected behavior
Keycloak should be configured to send the following security headers in outgoing responses:
CSP: default-src 'self'; script-src 'self'; connect-src 'self'; upgrade-insecure-requests; block-all-mixed-content
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Actual behavior
Currently, these headers are missing from some login-related API responses, leaving the system potentially exposed.
How to Reproduce?
Attempt to authenticate using Keycloak's login flow, either through a browser or API request. Use browser developer tools to inspect the headers returned by Keycloak Login API responses. Verify if CSP and HSTS headers are present in the response. If they are absent, note down the affected end point.
Anything else?
Suggested Fix: Configure Keycloak to automatically include these headers in API responses to enhance security and compliance with best practices.