Server headers blocked

[OxMarco]

Hi, I would like to point out that, with error responses server defined headers are not sent. For example, in my case I use nginx with this configuration (only headers part) add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

If I use errorNotFound() (or similar error-reporting methods) the headers are not present, both testing from local development server and from online virtual machine.

[maximebeaudoin]

@grcasanova I assume you use Laravel 5.0. I don't know if it's related to laravel response system or nginx handling error when you return a HTTP code 4* or 5* but the header will be erase.

It's not a behaviour related to this package.

[OxMarco]

Ok, I will take a look at Nginx docs. thanks

[osteel]

@grcasanova This has to do with Nginx. add_header will have no effect with errors. As per the doc:

Adds the specified field to a response header provided that the response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307.

You want to use more_set_headers instead, which can be installed easily with the nginx-extras package.

You'll find more details in the article I wrote on the subject.

[maximebeaudoin]

Thank you @osteel for the hint !

[OxMarco]

@osteel thanks ;) do you think it is better to add CORS headers in the $headers section of the withArray(...) method or to set them directly on Nginx?

[osteel]

@grcasanova I did not realise you needed CORS, I mentioned the article mainly for the installation steps of nginx-extras :)

Well like stated at the beginning of the blog post, if you are certain you will need all these headers for every request, it's probably better to set them in Nginx. But if you need specific rules for each route (allow different verbs for example), it's better to do it at an application level (so using withArray for example or a middleware - there are a few of them available for Laravel).