Description

The default Content Security Policy (CSP) used by Keycloak is not locked down enough, and should be improved as it adds a lot of additional protection against XSS attacks.

We need to investigate what would be the best header. In addition it will need to be dynamic/smart as different parts of Keycloak requires different CSP headers.

In addition there may be a need to for users to be able to configure some aspects of the CSP header for some situations. Currently this is done by completely overriding the header, but this is not great as it results in a less secure CSP header as the same header is applied to everything Keycloak does.

Discussion

No response

Motivation

No response

Details

See #16759, #15874, #14078, #9553

Tasks

• Removal of X-XSS-Protection header  #21728
• Consider Replacing Monaco Editor or Bundling Resources Locally to Avoid CSP Conflicts #32901
• Provide Content Security Policy to prevent embedding of iframes on unauhorized origins #29782
• Security defenses: support CSP nonce for scripts and styles #32079
• Security defenses: allow setting Reporting-Endpoints response header for usage e.g. in CSP #32078
• Support for Content Security Policy Header #32123
• Use CSP instead of X-Frame-Options #37430
• Missing Security Headers in Keycloak Server #40589
• Loading the Admin Console fails when using --hostname which is different then --hostname-admin #42264
• Introduce a mechanism to register and enqueue scripts #43023