To help Dart HTTP servers be more secure, Dart v1.6 includes changes to the HttpServer class to follow best practices for headers and cookies.
HttpServer has a new field – defaultResponseHeaders – which is populated with a set of recommended headers (see below). The HttpResponse created for each request is populated with the values from defaultResponseHeaders.
You can change the default headers for an individual response by modifying the HttpResponse.headers field. If you’d like to change headers sent with every response, add and remove values from defaultResponseHeaders.
We also added the clear methods to HttpHeaders. This makes it easier to clear all of the values in defaultResponseHeaders or any other instance of the headers object.
The default values should be valid for most responses most of the time. Instead of clearing the default values from defaultResponseHeaders, consider changing the individual headers on specific responses when needed.
Note: if you have implemented the HttpServer or HttpHeaders type in your own class, you need to implement these additional members.
Finally we also changed the default values for Cookies created to have ‘httponly’ set.
Feel free to ask questions on the Dart misc@ group if you have any problems.
Content-Type: text/plain; charset=utf-8
Causes the response to be interpreted as plaintext if the caller doesn't specify another Content-Type, which might prevent XSS vulnerabilities in servers built on top of HttpServer. A lack of Content-Type causes the browser to guess, default to HTML or inherit the content type from the parent window. These implicit behaviors can easily lead to Cross Site Scripting attacks.
X-Frame-Options: SAMEORIGIN
Prevents clickjacking attacks. Should rarely cause problems unless the response should be embeddable in origins other than the source. Remove this header to enable cross-domain embedding.
X-Content-Type-Options: nosniff
Prevents content type sniffing common in some versions Internet Explorer.
X-XSS-Protection: 1; mode=block
Forces cross site scripting protection, even if it was disabled by the user.