Empty CSP header value breaks security filter #29458
Labels
area/authentication
Indicates an issue on Authentication area
kind/bug
Categorizes a PR related to a bug
kind/regression
priority/important
Must be worked on very soon
release/24.0.5
release/25.0.0
team/core-clients
Before reporting an issue
Area
authentication
Describe the bug
When a realm doesn't have a CSP header configured under "Security Defenses", then all login-related pages fail with an HTTP 500.
The logs contains the following when the default log level is increased:
keycloak/services/src/main/java/org/keycloak/headers/DefaultSecurityHeadersProvider.java
Lines 109 to 110 in 3186b6d
this section is missing the check for non-null value that e.g. the addHeader() method has. 047e804 introduced this error.
Version
24.0.4
Regression
Expected behavior
CSP header can be left blank and login still works albeit less securely.
Actual behavior
Login-related pages (realm login page, step1.html and possibly more) fail with HTTP 500.
How to Reproduce?
Anything else?
The affected realm in our deployment had this header cleared many releases go and it just started failing with one of the 24.0.* releases.
The text was updated successfully, but these errors were encountered: