No SFC and custom headers when using the fallback middleware

[stat1x]

Bug Report

Current Behavior When adding custom headers in config.additionalHeaders and in validHtaccessHeaders, those headers are not in response when useFallbackMiddleware is set to true.

Expected behavior/output The custom headers should be in response.

Environment

• TYPO3 version(s): [9.5.39]
• staticfilecache version: [e.g. 11.1.7]
• Is your TYPO3 installation set up with Composer (Composer Mode): [yes]
• OS: [e.g. Ubuntu 22.04]

Possible Solution In the FallbackMiddleware, the getHeaders method seems to be the problem. In fact, the custom headers that are correctly set in the .config.json file are never read. I can manager a PR for that.

Step to reproduce

1. add the following TypoScript to you main template

   config {
   additionalHeaders {
   997.header = Referrer-Policy: origin-when-cross-origin
   998.header = Strict-Transport-Security: max-age=63072000; includeSubDomains
   999.header = X-Frame-Options: deny
   }
   }

2. set the validHtaccessHeaders EXT:staticfilecache configuration option in your LocalConfiguration.php to

   'validHtaccessHeaders' => 'Content-Type,Content-Language,Content-Security-Policy,Link,Referrer-Policy,Strict-Transport-Security,X-Frame-Options,X-SFC-Tags'

3. check headers of a cached page response in PostMan or browser debugger

[lochmueller]

Hey @stat1x Could you check if a "xxx.config.json" file is part of the cache files (should be directly next to the html/gz cache entriy file in typo3temp/tx_staticfilecache). If the config.json exists, could you check if the header is part of the config file? Do you try to set this header via a middleware instead via TS? Regards, Tim

[stat1x]

Yes the xxx.config.json is correct and has my custom headers. No didn't try with a middleware as it will probably work fine with it. IMO, config.additionalHeaders should be taken into account when using staticfilecache without adding an extra middleware.

[lochmueller]

I think you talk about other middlewares? StaticFileCache uses (and need) multiple middlewares. Yes "config.additionalHeaders" is used by TYPO3 without StaticFileCache, but only in the generation process (first hit). After the first hit and a valid/good strategy, the content is not renderd by TYPO3 anymore. We have to check, which component do not set the header. Could you enable "debugHeaders" in the extension configuration and check "X-SFC-State"-Header and send me the value. Then we can check, if the FallbackMiddlware is the problem or the cache entry itself.

• Do you use Apache?
• Do you use https://github.com/lochmueller/staticfilecache/blob/master/ext_conf_template.txt#L14 this option to add your header to the valid headers that are added to the custom htaccess file.
• If you disable StaticFileCache the header is always there?

Regards, Tim

[stat1x]

Yes I do not want to add an own Middleware as there is an option in TypoScript to add additionnal headers. If I turn debugHeaders to true, I have the SFC debug header as excepted. Unfortunately, I do not have the additional headers defined in TypoScript. If I turn off SFC I get them. The xxx.config.json is correct and contains the additional headers. I've added the "Step to reproduce" in the description. Best regards, Jay

[lochmueller]

hey @stat1x If you saw the Debug header of StaticFileCache, I need the value of the Header, because only then I know which component (TYPO3 rendering, StaticfileCache deilivery, Fallback Middleware etc.) result in your the missing header! Regards, Tim

[lochmueller]

Hey @stat1x checked the PR... so the FallbackMiddlware cause this problem. We should only add a whitelist, so TYPo3 do not add every header of the config.json. Regards, Tim