New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reverse proxy doesn't add custom headers for redirects #1204

Open
fuzzball1980 opened this Issue Mar 22, 2018 · 5 comments

Comments

Projects
None yet
2 participants
@fuzzball1980

fuzzball1980 commented Mar 22, 2018

Hi guys, I have a little problem im using the reverse proxy handler on a vserver and I have added custom headers on the handler and in the transform tab.

The problem is that when my backend response is a 301 cherokee just pass that response to the client without adding my custom headers.

Is there any way to modify that response or is it a bug of the reverse proxy handler?

Thank you very much!

@fuzzball1980

This comment has been minimized.

fuzzball1980 commented Mar 22, 2018

OK, guys I got more information... the problem is not in the reverse proxy handler. I have HSTS enabled on the vserver :-( sorry

anyway is there any way to change the response made for the HSTS?

Thank you!!

@skinkie

This comment has been minimized.

Member

skinkie commented Mar 22, 2018

No the HSTS is set up automatically...

@skinkie skinkie closed this Mar 22, 2018

@fuzzball1980

This comment has been minimized.

fuzzball1980 commented Mar 22, 2018

Do you think it is a good feature to be implemented, does it makes sense? Im asking this because im a provider of a big telco company and the guys on security are running some vulnerability test using nikto and they keep saying my site doesn't complain with his policies, because the automatic test on nkito keep detecting the missing header x-frame-options for example.

My understanding is that it doesn't make any sense to send those headers on a redirect response.. but anyways they keep saying the site is vulnerable.

tks!

@skinkie

This comment has been minimized.

Member

skinkie commented Mar 22, 2018

Reviewing this https://docs.spring.io/spring-security/site/docs/current/reference/html/headers.html I see your use case. Personally I wouldn't even want to give an indication of the content serving over HTTP. So implementing this as header addition before HSTS sounds not smart to me. Maybe we should add the option to set some standards headers, and have that as feature request. In a way you don't have to set them up as explicit header additions but more in the style of a preconfigured header.

@skinkie skinkie reopened this Mar 22, 2018

@fuzzball1980

This comment has been minimized.

fuzzball1980 commented Mar 22, 2018

Looks good to me, I don't understand the difference between header addition before HSTS and the option to add some standards header but if it allow to set the those standard security headers and maybe remove some others like Server/X-powered-By it should works!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment