dadi / web

Web is a drop in front end for websites and web apps. Consumes data from DADI API and others
https://dadi.cloud/en/web/
Other
48 stars 16 forks source link

Add misc. headers to each response #375

Closed abovedave closed 6 years ago

abovedave commented 6 years ago

In the global config:

"headers": {
    "global": {
      "X-Frame-Options": "DENY",
      "Access-Control-Allow-Headers": "*"
    }
}

At page level:

"headers": {
    "X-Frame-Options": "DENY",
    "Access-Control-Allow-Headers": "*"
}

Or disable all custom:

"headers": false
abovedave commented 6 years ago

Closing in favour of project specific middleware - seems just as simple for the user and keeps fuss out the core.

E.g.,

const Middleware = function (app) {
  app.use((req, res, next) => {
    res.setHeader('Strict-Transport-Security', 7776000000)
    res.setHeader('X-Frame-Options', 'SAMEORIGIN')
    res.setHeader('X-XSS-Protection', 0)
    res.setHeader('X-Content-Type-Options', 'nosniff')
    next()
  })
}

module.exports = function (app) {
  return new Middleware(app)
}

module.exports.Middleware = Middleware