Fix header forwarding

.gitignore

@@ -1 +1,2 @@
 /node_modules
+.DS_Store

CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## UNRELEASED
+
+### Changes
+* The configuration array for headers passed from Apostrophe to the browser has been changed from `forwardHeaders` to `includeResponseHeaders` with BC maintained.
+* A new configuration option `excludeResponseHeaders` has been added to allow exclusion of headers like `host` being sent from the browser to Apostrophe.
+* The `README.MD` has been updated with the new configuration options.
+
 ## 1.1.0 (2024-11-20)
 
 ### Adds

README.md

@@ -99,14 +99,17 @@ export default defineConfig({
       widgetsMapping: './src/widgets',
       templatesMapping: './src/templates',
       viewTransitionWorkaround: false,
-      forwardHeaders: [
+      includeResponseHeaders: [
         'content-security-policy', 
         'strict-transport-security', 
         'x-frame-options',
         'referrer-policy',
-        'cache-control',
-        'host'
+        'cache-control'
       ],
+      excludeRequestHeaders: [
+        // For single-site setups or hosting on multiple servers, block the host header
+        'host'
+      ]
       proxyRoutes: [
         // Custom URLs that should be proxied to Apostrophe.
         // Note that all of `/api/v1` is already proxied, so
@@ -153,17 +156,28 @@ improve performance for editors. Ordinary website visitors are
 not impacted in any case. We are seeking an alternative solution to
 eliminate this option.
 
-### `forwardHeaders`  
+### `includeResponseHeaders`
+
+An array of HTTP headers that you want to include from Apostrophe to the final response sent to the browser - useful if you want to use an Apostrophe module like `@apostrophecms/security-headers` and want to keep those headers as configured in Apostrophe.
 
-An array of HTTP headers that you want to forward from Apostrophe to the final response sent to the browser - useful if you want to use an Apostrophe module like `@apostrophecms/security-headers` and want to keep those headers as configured in Apostrophe.  
 At the present time, Astro is not compatible with the `nonce` property of `content-security-policy` `script-src` value. So this is automatically removed with that integration. The rest of the CSP header remains unchanged.
 
+### `excludeRequestHeaders`
+
+An array of HTTP headers that you want to prevent from being forwarded from the browser to Apostrophe. This is particularly useful in single-site setups where you want to block the `host` header to allow Astro and Apostrophe to run on different domains or ports.
+
+By default, all headers are forwarded except those specified in this array.
+
+### `forwardHeaders` (deprecated)
+
+This option has been replaced by `includeResponseHeaders` which provides clearer naming for its purpose. If both options are provided, `includeResponseHeaders` takes precedence. `forwardHeaders` will be removed in a future version.
+
 ### Mapping Apostrophe templates to Astro components
 
 Since the front end of our project is entirely Astro, we'll need to create Astro components corresponding to each
 template that Apostrophe would normally render with Nunjucks.
-  
-Create your template mapping in `src/templates/index.js` file.   
+
+Create your template mapping in `src/templates/index.js` file.
 As shown above, this file path must then be added to your `astro.config.mjs` file,
 in the `templatesMapping` option of the `apostrophe` integration.
 

components/layouts/AposLayout.astro

@@ -7,10 +7,16 @@ import config from 'virtual:apostrophe-config';
 const { aposData } = Astro.props;
 
 // Forward Apostrophe response headers to Astro based on the config
-if (config.forwardHeaders && Array.isArray(config.forwardHeaders)) {
+let headersToInclude = config.includeResponseHeaders;
+if (!headersToInclude && config.forwardHeaders) {
+  console.warn('forwardHeaders is deprecated. Please use includeResponseHeaders instead.');
+  headersToInclude = config.forwardHeaders;
+}
+
+if (headersToInclude && Array.isArray(headersToInclude)) {
   const headers = aposData.aposResponseHeaders;
   if (headers) {
-    for (const header of config.forwardHeaders) {
+    for (const header of headersToInclude) {
       let aposHeader = headers.get(header);
       // Astro is not compatible with nonce in CSP
       if (aposHeader && header === 'content-security-policy') {

index.js

@@ -19,7 +19,9 @@ export default function apostropheIntegration(options) {
               vitePluginApostropheConfig(
                 options.aposHost,
                 options.forwardHeaders,
-                options.viewTransitionWorkaround
+                options.viewTransitionWorkaround,
+                options.includeResponseHeaders,
+                options.excludeRequestHeaders
               ),
             ],
           },

lib/aposResponse.js

@@ -7,10 +7,14 @@ export default async function aposResponse(req) {
   const aposUrl = new URL(url.pathname, aposHost);
   aposUrl.search = url.search;
 
-  const requestHeaders = {}
-  for (const header of req.headers) {
-    requestHeaders[header[0]] = header[1];
+  const requestHeaders = {};
+  for (const [name, value] of req.headers) {
+    const headerLower = name.toLowerCase();
+    if (!config.excludeRequestHeaders?.map(h => h.toLowerCase()).includes(headerLower)) {
+      requestHeaders[name] = value;
+    }
   }
+
   const res = await request(aposUrl.href, { headers: requestHeaders, method: req.method, body: req.body });
   const responseHeaders = new Headers();
   Object.entries(res.headers).forEach(([key, value]) => {
@@ -21,7 +25,7 @@ export default async function aposResponse(req) {
   });
   const { headers, statusCode, ...rest } = res;
   const body = [204, 304].includes(statusCode) ? null : res.body;
-  const response = new Response(body, { ...rest , status: res.statusCode, headers: responseHeaders });
+  const response = new Response(body, { ...rest, status: res.statusCode, headers: responseHeaders });
   return response;
 };
 

vite/vite-plugin-apostrophe-config.js

@@ -1,12 +1,16 @@
 export function vitePluginApostropheConfig(
   aposHost,
-  forwardHeaders,
-  viewTransitionWorkaround
+  forwardHeaders = null,
+  viewTransitionWorkaround,
+  includeResponseHeaders = null,
+  excludeRequestHeaders = null
 ) {
-
   const virtualModuleId = "virtual:apostrophe-config";
   const resolvedVirtualModuleId = "\0" + virtualModuleId;
 
+  // Use includeResponseHeaders if provided, fallback to forwardHeaders for BC
+  const headersToInclude = includeResponseHeaders || forwardHeaders;
+
   return {
     name: "vite-plugin-apostrophe-config",
     async resolveId(id) {
@@ -16,18 +20,21 @@ export function vitePluginApostropheConfig(
     },
     async load(id) {
       if (id === resolvedVirtualModuleId) {
-          return `
-            export default {
-              aposHost: "${aposHost}"
-              ${forwardHeaders ? `,
-                forwardHeaders: ${JSON.stringify(forwardHeaders)}` : ''
-              }
-              ${viewTransitionWorkaround ? `,
-                viewTransitionWorkaround: true` : ''
-              }
-            }`
-          ;
+        return `
+          export default {
+            aposHost: "${aposHost}"
+            ${headersToInclude ? `,
+              includeResponseHeaders: ${JSON.stringify(headersToInclude)}` : ''
+            }
+            ${excludeRequestHeaders ? `,
+              excludeRequestHeaders: ${JSON.stringify(excludeRequestHeaders)}` : ''
+            }
+            ${viewTransitionWorkaround ? `,
+              viewTransitionWorkaround: true` : ''
+            }
+          }`
+        ;
       }
     },
   };
-};
+};