Hi Andy, These settings for setting http response and by default they are enabled. I was looking for stripping off the xss script code from http request params and headers. Here is what I did and seems working fine. I've created XSSFilter and added it to FilterChain by using below code. My implementation of getParam , getParams, getHeader methods strips off the xss injection code not getting into application code.
@Configuration("WebFilterConfiguration") public class XifinWebFilterConfiguration { @Bean public FilterRegistrationBean xssFilter() { FilterRegistrationBean filterRegBean = new FilterRegistrationBean(); filterRegBean.setFilter(new XSSFilter()); filterRegBean.addUrlPatterns("/*"); filterRegBean.setOrder(Ordered.HIGHEST_PRECEDENCE); return filterRegBean; } } Chava On Wednesday, October 3, 2018 at 3:10:00 AM UTC-7, Andy Ng wrote: > > Hi Chava, > > See if these properties are what you after? > > > https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#http-web-requests > > Also, for what each properties does what, you can reference the source > code here: > [ > https://github.com/apereo/cas/blob/5.2.x/core/cas-server-core-configuration/src/main/java/org/apereo/cas/configuration/model/core/web/security/HttpWebRequestProperties.java > > ] > > Cheers! > - Andy > > > > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/04d47047-c005-4f0b-a719-2d0f33b7fd74%40apereo.org.