1

I run the latest jenkins as a standalone as below.

java -jar jenkins.war

We used self-signed SSL certificate. When we access the Jenkins console and observe the HTTP response headers we see critical HTTP headers missing like for example X-XSS-Protection

We do not use or plan to use any web proxy but like to access the Jenkins URL directly https://localhost:9043

I already read this article but it does not seem to have any solution: https://issues.jenkins-ci.org/browse/JENKINS-24548

Can you please suggest how can i add the X-XSS-Protection for say to my Jenkins?

Ashar
  • 2,942
  • 10
  • 58
  • 122

1 Answers1

2

I would not name X-XSS-Protection critical. I would name it pretend-you-do-something.

Having said that, there's a plugin: https://plugins.jenkins.io/extended-security-settings/

In the article you will also read:

For more complex header rewrite rules, using a reverse proxy such as Apache with mod_headers is a more complete solution.

Marek Puchalski
  • 3,286
  • 2
  • 26
  • 35