The discussion in #81 highlights a potential bug in this proxy: it always adds a default Content-Type header to the response, even in cases like HTTP 204/304 responses which have no response body and thus for which a Content-Type header is inappropriate.
This PR updates the Nginx configuration to only set a default Content-Type header when the response body length is not 0, which should prevent undesirable behavior on 204/304 responses.
Changes Proposed
Related to https://github.com/cloud-gov/cg-secureproxy-boshrelease/issues/81
The discussion in #81 highlights a potential bug in this proxy: it always adds a default
Content-Typeheader to the response, even in cases like HTTP 204/304 responses which have no response body and thus for which aContent-Typeheader is inappropriate.This PR updates the Nginx configuration to only set a default
Content-Typeheader when the response body length is not 0, which should prevent undesirable behavior on 204/304 responses.Security Considerations
It seems like adding a
Content-Typeheader was done to resolve a POAM: https://github.com/cloud-gov/product/issues/540At the same time, it seems like the
Content-Typeheader itself may have been an afterthought: https://github.com/cloud-gov/cg-secureproxy-boshrelease/pull/6But for responses where the response body length is 0, I don't see how adding a
Content-Typeheader is ever appropriate.