search

cherokee / webserver

Cherokee Web Server
GNU General Public License v2.0
564 stars 104 forks source link

Reverse proxy doesn't add custom headers for redirects #1204

Open fuzzball1980 opened 6 years ago

fuzzball1980 commented 6 years ago

Hi guys, I have a little problem im using the reverse proxy handler on a vserver and I have added custom headers on the handler and in the transform tab.

The problem is that when my backend response is a 301 cherokee just pass that response to the client without adding my custom headers.

Is there any way to modify that response or is it a bug of the reverse proxy handler?

Thank you very much!

fuzzball1980 commented 6 years ago

OK, guys I got more information... the problem is not in the reverse proxy handler. I have HSTS enabled on the vserver :-( sorry

anyway is there any way to change the response made for the HSTS?

Thank you!!

skinkie commented 6 years ago

No the HSTS is set up automatically...

fuzzball1980 commented 6 years ago

Do you think it is a good feature to be implemented, does it makes sense? Im asking this because im a provider of a big telco company and the guys on security are running some vulnerability test using nikto and they keep saying my site doesn't complain with his policies, because the automatic test on nkito keep detecting the missing header x-frame-options for example.

My understanding is that it doesn't make any sense to send those headers on a redirect response.. but anyways they keep saying the site is vulnerable.

tks!

skinkie commented 6 years ago

Reviewing this https://docs.spring.io/spring-security/site/docs/current/reference/html/headers.html I see your use case. Personally I wouldn't even want to give an indication of the content serving over HTTP. So implementing this as header addition before HSTS sounds not smart to me. Maybe we should add the option to set some standards headers, and have that as feature request. In a way you don't have to set them up as explicit header additions but more in the style of a preconfigured header.

fuzzball1980 commented 6 years ago

Looks good to me, I don't understand the difference between header addition before HSTS and the option to add some standards header but if it allow to set the those standard security headers and maybe remove some others like Server/X-powered-By it should works!