Custom HTTP Headers with Client-Side Routing

[picchietti]

Hi,

I'm using the latest SWS via docker with a toml config file instead of env variables.

SWS is serving my client-side routed (BrowserRouter style) singe page application. It does this through the page-fallback option.

I'm trying to set security headers on all client-side routed pages. I would settle for setting the headers on every fetched resource. However, no matter what is set for source: *, **, *.html, **/*, etc it wont work on routes like /docs or /docs/xyz. It will work with / and /assets/main.js. Is there any way I can accomplish this?

Why not use the security-headers option? It sets X-XSS-Protection which Mozilla says can cause XSS vulnerabilities, and sets Strict-Transport-Security which I don't need to set on my encrypted onion service.

[joseluisq]

However, no matter what is set for source: *, **, *.html, **/*, etc it wont work on routes like /docs or /docs/xyz. It will work with / and /assets/main.js. Is there any way I can accomplish this?

If you want a glob pattern to apply to everything then try an asterisk surrounded by curly braces which will be used as a wildcard.

In the example below, the custom header should be applied to whatever route.

[advanced]

[[advanced.headers]]
source = "{*}"
# or more advanced one:
# source = "{*/,/*}"
[advanced.headers.headers]
X-Custom-Header = "some-value"

[picchietti]

I tried both {*} and {*/,/*}. Unfortuntely, I still saw the same behavior:

No custom header on /docs

Custom header on asset file

Custom header on /

It seems that it only applies the headers when it doesn't need to page-fallback.

To eliminate any weirdness with Tor Browser and hosting through an Onion Service, I hosted it locally and got the same results.

(I am restarting the server each time I change the config.)

This is my toml config:

[general]

host = "0.0.0.0"
port = 1337
root = "/public"
page-fallback = "/public/index.html"
log-level = "info"
log-remote-address = false
cache-control-headers = true
compression = true
compression-static = false
security-headers = false # set security headers in [advanced] section
cors-allow-origins = ""
cors-allow-headers = ""
directory-listing = false
redirect-trailing-slash = true

[advanced]

[[advanced.headers]]
source = "{*/,/*}"

[advanced.headers.headers]
X-Custom-Header = "some-value"
#Content-Security-Policy = "default-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; object-src 'none'"
#Permissions-Policy = "geolocation=(), camera=(), microphone=()"
#X-Frame-Options = "DENY"
#X-Content-Type-Options = "nosniff"

I've tried it with an without redirect-trailing-slash.
I don't see anything in the trace logs to note.
I haven't found anything in globstar docs yet.

I'm a rust beginner, but I'll do my best to check the source code soonish.

[joseluisq]

I see, if page-fallback is enabled then the headers are not even applied.
This is definitely missing, I just fixed that with e183ea3. But in the meantime, if you are working with Docker then try to use some of the devel images.

docker pull joseluisq/static-web-server:devel
# or
docker pull joseluisq/static-web-server:devel-alpine

Or if not using Docker, then try to build SWS from source or wait until the next release.

[picchietti]

I've confirmed that the devel image fixes the issue. Thank you!

[joseluisq]

Released on v2.18.0
BTW thanks for the support!

[joseluisq]

Why not use the security-headers option? It sets X-XSS-Protection which Mozilla says can cause XSS vulnerabilities, and sets Strict-Transport-Security which I don't need to set on my encrypted onion service.

BTW, great that you did remind me about the obsolete X-XSS-Protection header. It should be removed in a next release.