search

Jaguar-dart / jaguar

Jaguar, a server framework built for speed, simplicity and extensible. ORM, Session, Authentication & Authorization, OAuth
http://jaguar-dart.github.io
463 stars 34 forks source link

allow modifying the default response headers #135

Closed rspilker closed 3 years ago

rspilker commented 4 years ago

By default the underlying http server adds several headers:

x-frame-options: SAMEORIGIN
x-xss-protection': 1; mode=block
x-content-type-options: nosniff

It is currently impossible to NOT send such an header.

If I want in my application to allow my page to be visible in an IFRAME, I can only set an illegal value for X-Frame-Options in the after. I cannot remove it.

Regarding x-xss-protection, browsers are removing support for it, in favor of CSP headers.

This feature also allows a more elegant way to centrally add a Strict-Transport-Security header, instead of adding it in an after.

rspilker commented 4 years ago

If you decide to merge #134, I can update these test as well.

tejainece commented 3 years ago

A question. Why cant this be done in before interceptor?

tejainece commented 3 years ago

This has been fixed by exposing the underlying HttpServer instance using Jaguar.servers getter.