Help needed to include CSP http header header to response header

17 views
Skip to first unread message

S V

unread,
Sep 10, 2019, 7:30:50 AM9/10/19
to Luminus
Hello!,

I have developed a simple Luminus web application.

I am trying to add CSP http header to response header when serving javascript files.

The solution suggested in documentation (http://www.luminusweb.net/docs/responses.html#setting_headers) seems to be working for REST end points but not for javascript files.

My folder structure is like this

project root
  |
  |
  |-- resources
        |
        |
        |--resources
              |
              |--public
                   |
                   |--js
                       |
                       |-my_js_file.js
  |
  |--src
      |
      |-clj
      

Just as an example, here is the output when I try to fetch response header for one of the included js files

$ curl -I http://127.0.0.1:8080/popper/popper.js
HTTP
/1.1 200 OK
Server: undertow
X
-XSS-Protection: 1; mode=block
X
-Frame-Options: SAMEORIGIN
Date: Tue, 10 Sep 2019 11:28:50 GMT
Connection: keep-alive
Last-Modified: Thu, 05 Sep 2019 15:04:26 GMT
X
-Content-Type-Options: nosniff
Content-Length: 0
Content-Type: text/javascript; charset=utf-8



The solution so far looks elusive and I think I need help here !  

Please let me know if any further details are needed.

Thanks,
Sreeram

Dmitri

unread,
Sep 10, 2019, 9:17:49 AM9/10/19
to Luminus
Hi,

What's going on here is that the Js file is served using the resource middleware https://ring-clojure.github.io/ring/ring.middleware.resource.html and the way to add the header would be to do it in the middleware namespace. For example, you could do something like the following:

(defn wrap-js-headers [handler]
 
(fn [request]
   
(let [response (handler request)]
     
(if  (some-> (get-in response [:headers "Content-Type"])
                   
(.contains "text/javascript"))
       
(assoc-in response [:headers "Content-Security-Policy"] "default-src 'self'")
        response
))))

(defn wrap-base [handler]
 
(-> ((:middleware defaults) handler)      
     
(wrap-defaults
       
(-> site-defaults
           
(assoc-in [:security :anti-forgery] false)
           
(assoc-in  [:session :store] (ttl-memory-store (* 60 30)))))
     
(wrap-js-headers)
      wrap
-internal-error))


Reply all
Reply to author
Forward
0 new messages