[dart-announce] Changes to HttpServer in Dart v1.6 - more secure by default

79 views
Skip to first unread message

Kevin Moore

unread,
Aug 20, 2014, 5:53:21 PM8/20/14
to anno...@dartlang.org

To help Dart HTTP servers be more secure, Dart v1.6 includes changes to the HttpServer class to follow best practices for headers and cookies.


HttpServer has a new field – defaultResponseHeaders – which is populated with a set of recommended headers (see below). The HttpResponse created for each request is populated with the values from defaultResponseHeaders.


You can change the default headers for an individual response by modifying the HttpResponse.headers field. If you’d like to change headers sent with every response, add and remove values from defaultResponseHeaders.


We also added the clear methods to HttpHeaders. This makes it easier to clear all of the values in defaultResponseHeaders or any other instance of the headers object.


The default values should be valid for most responses most of the time. Instead of clearing the default values from defaultResponseHeaders, consider changing the individual headers on specific responses when needed.


Note: if you have implemented the HttpServer or HttpHeaders type in your own class, you need to implement these additional members.


Finally we also changed the default values for Cookies created to have ‘httponly’ set.


Feel free to ask questions on the Dart misc@ group if you have any problems.


New default header values

Content-Type: text/plain; charset=utf-8

Causes the response to be interpreted as plaintext if the caller doesn't specify another Content-Type, which might prevent XSS vulnerabilities in servers built on top of HttpServer. A lack of Content-Type causes the browser to guess, default to HTML or inherit the content type from the parent window. These implicit behaviors can easily lead to Cross Site Scripting attacks.


X-Frame-Options: SAMEORIGIN

Prevents clickjacking attacks. Should rarely cause problems unless the response should be embeddable in origins other than the source. Remove this header to enable cross-domain embedding.


X-Content-Type-Options: nosniff

Prevents content type sniffing common in some versions Internet Explorer.


X-XSS-Protection: 1; mode=block

Forces cross site scripting protection, even if it was disabled by the user.


--
For more news and information, visit http://news.dartlang.org/
 
To join the conversation, visit https://groups.google.com/a/dartlang.org/
Reply all
Reply to author
Forward
0 new messages