Help needed to include CSP http header header to response header

17 views
Skip to first unread message

S V

unread,
Sep 10, 2019, 7:30:50 AM9/10/19
to Luminus
Hello!,

I have developed a simple Luminus web application.

I am trying to add CSP http header to response header when serving javascript files.

The solution suggested in documentation (http://www.luminusweb.net/docs/responses.html#setting_headers) seems to be working for REST end points but not for javascript files.

My folder structure is like this

project root
  |
  |
  |-- resources
        |
        |
        |--resources
              |
              |--public
                   |
                   |--js
                       |
                       |-my_js_file.js
  |
  |--src
      |
      |-clj
      

Just as an example, here is the output when I try to fetch response header for one of the included js files

$ curl -I http://127.0.0.1:8080/popper/popper.js
HTTP/1.1 200 OK
Server: undertow
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Date: Tue, 10 Sep 2019 11:28:50 GMT
Connection: keep-alive
Last-Modified: Thu, 05 Sep 2019 15:04:26 GMT
X-Content-Type-Options: nosniff
Content-Length: 0
Content-Type: text/javascript; charset=utf-8



The solution so far looks elusive and I think I need help here !  

Please let me know if any further details are needed.

Thanks,
Sreeram

Dmitri

unread,
Sep 10, 2019, 9:17:49 AM9/10/19
to Luminus
Hi,

What's going on here is that the Js file is served using the resource middleware https://ring-clojure.github.io/ring/ring.middleware.resource.html and the way to add the header would be to do it in the middleware namespace. For example, you could do something like the following:

(defn wrap-js-headers [handler]
  (fn [request]
    (let [response (handler request)]
      (if  (some-> (get-in response [:headers "Content-Type"])
                   (.contains "text/javascript"))
        (assoc-in response [:headers "Content-Security-Policy"] "default-src 'self'")
        response))))

(defn wrap-base [handler]
  (-> ((:middleware defaults) handler)      
      (wrap-defaults
        (-> site-defaults
            (assoc-in [:security :anti-forgery] false)
            (assoc-in  [:session :store] (ttl-memory-store (* 60 30)))))
      (wrap-js-headers)
      wrap-internal-error))


Reply all
Reply to author
Forward
0 new messages