[Feature request] Add support for enabling / disabling limiting headers to the defined list.

[zero-24]

Hi,

I'm happy to take a look into this but can you please add some more details what you are looking for?

[zero-24]

Do you have more information on this request @Sophist-UK so i can take a look into them?

[Sophist-UK]

At https://github.com/zero-24/plg_system_httpheader/blob/master/httpheader.php#L47-L59 there is a defined list of headers that this plugin looks for, and this list is checked at https://github.com/zero-24/plg_system_httpheader/blob/master/httpheader.php#L247 and only entries in this list are allowed by this plugin.

I recently found that I needed to add headers for 'report-to' & 'nel' which are not in the list. I could add entries in the plugin settings page, but they were not sent until I added to this list.

So it would be nice to have an option to turn off checking this list so that any HTTP headers desired by the administrator can be added.

[zero-24]

Support for Report-To and NEL has been added here: https://github.com/zero-24/plg_system_httpheader/releases/tag/1.0.17

I do intentionally check for the headers that are actually supported to avoid stuff beeing set that are not intended nor supported by this plugin. Will prepare a PR against J4 too to add that two headers to the core plugin too. Thanks :)

[zero-24]

Core PR created here: https://github.com/joomla/joomla-cms/pull/39378

[Sophist-UK]

I am unclear why this plugin needs to be limited to security headers in the first place? Why should it not be unrestricted and allow the admin to add any headers they want?

[zero-24]

Its a plugin thats intended to handle security headers and not a "put everything we can" into the header. This also makes sure we dont get some unexpected values there from people saying "its a text field and I can add this or that in and than that will be set as header" kind of issues, with the two headers requested added the mentiond usecase should be able to archived. :)

[Sophist-UK]

Hmmm. It is plg_system_httpheader and not plg_system_httpsecurityheaders.

There is IMO a general need for supporting non-security headers, and I am unclear why this plugin feels it should be restricted only to security headers.

Also, if you want to focus it on a subset of headers (for the less initiated), then selecting headers from a list to add would IMO be the way to go.

[Sophist-UK]

P.S. Also, I think it is not a user-friendly idea to allow the user to specify a header to be sent, and then silently not to send it.

[zero-24]

Hmmm. It is plg_system_httpheader and not plg_system_httpsecurityheaders. There is IMO a general need for supporting non-security headers, and I am unclear why this plugin feels it should be restricted only to security headers.

"This Joomla Plugin implements an UI Layer for the HTTP Security headers so everyone can set and configure them from the backend." From - https://github.com/zero-24/plg_system_httpheader/blob/master/README.md

The problem with non-security headers is that some should not relay on joomla and a CMS plugin to be fired up. The main reason we do have the plugin is for CSP as there you can configure it in a way that it is dynamic and not a fixed value like "nosniff".

P.S. Also, I think it is not a user-friendly idea to allow the user to specify a header to be sent, and then silently not to send it.

Also, if you want to focus it on a subset of headers (for the less initiated), then selecting headers from a list to add would IMO be the way to go.

Yes thats the reason the core plugin does just support what is in the list. A change here would be a B/C break within the plugin and thats the reason I have not backported that change into the plugin.

And this plugin clearly states in the description of the fields what is supported or not while offering a list to be selected on is better I do agree.