Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Reverse proxy doesn't add custom headers for redirects #1204
Hi guys, I have a little problem im using the reverse proxy handler on a vserver and I have added custom headers on the handler and in the transform tab.
The problem is that when my backend response is a 301 cherokee just pass that response to the client without adding my custom headers.
Is there any way to modify that response or is it a bug of the reverse proxy handler?
Thank you very much!
Do you think it is a good feature to be implemented, does it makes sense? Im asking this because im a provider of a big telco company and the guys on security are running some vulnerability test using nikto and they keep saying my site doesn't complain with his policies, because the automatic test on nkito keep detecting the missing header x-frame-options for example.
My understanding is that it doesn't make any sense to send those headers on a redirect response.. but anyways they keep saying the site is vulnerable.
Reviewing this https://docs.spring.io/spring-security/site/docs/current/reference/html/headers.html I see your use case. Personally I wouldn't even want to give an indication of the content serving over HTTP. So implementing this as header addition before HSTS sounds not smart to me. Maybe we should add the option to set some standards headers, and have that as feature request. In a way you don't have to set them up as explicit header additions but more in the style of a preconfigured header.