I run the latest jenkins as a standalone as below.
java -jar jenkins.war
We used self-signed SSL certificate. When we access the Jenkins console and observe the HTTP response headers we see critical HTTP headers missing like for example X-XSS-Protection
We do not use or plan to use any web proxy but like to access the Jenkins URL directly https://localhost:9043
I already read this article but it does not seem to have any solution: https://issues.jenkins-ci.org/browse/JENKINS-24548
Can you please suggest how can i add the X-XSS-Protection for say to my Jenkins?
I would not name X-XSS-Protection critical. I would name it pretend-you-do-something.
Having said that, there's a plugin: https://plugins.jenkins.io/extended-security-settings/
In the article you will also read:
For more complex header rewrite rules, using a reverse proxy such as Apache with mod_headers is a more complete solution.