Fix header forwarding #28
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Pass excluded headers
boutell
requested changes
Dec 23, 2024
| ], | ||
| excludeRequestHeaders: [ | ||
| // For single-site setups or hosting on multiple servers, block the host header | ||
| 'host' |
There was a problem hiding this comment.
Right so it is critical to include this setting in the project level PRs.
README.md
Outdated
| ### `forwardHeaders` | ||
| ### `includeResponseHeaders` | ||
|
|
||
| An array of HTTP headers that you want to include from Apostrophe to the final response sent to the browser - useful if you want to use an Apostrophe module like `@apostrophecms/security-headers` and want to keep those headers as configured in Apostrophe. |
There was a problem hiding this comment.
Also good for respecting apostrophe's caching headers.
README.md
Outdated
| At the present time, Astro is not compatible with the `nonce` property of `content-security-policy` `script-src` value. So this is automatically removed with that integration. The rest of the CSP header remains unchanged. | ||
|
|
||
| ### `excludeRequestHeaders` | ||
|
|
||
| An array of HTTP headers that you want to prevent from being forwarded from the browser to Apostrophe. This is particularly useful in single-site setups where you want to block the `host` header to allow Astro and Apostrophe to run on different domains or ports. |
There was a problem hiding this comment.
Just say different hostnames. Different ports aren't really a problem.
lib/aposResponse.js
Outdated
| const requestHeaders = {}; | ||
| for (const [name, value] of req.headers) { | ||
| const headerLower = name.toLowerCase(); | ||
| if (!config.excludeRequestHeaders?.map(h => h.toLowerCase()).includes(headerLower)) { |
There was a problem hiding this comment.
- Shouldn't this be an equality comparison rather than "includes" which would match a header that happens to be a substring of some unrelated header?
- Because it is on each request, it is worth making it more efficient by converting all of the excluded request headers to lowercase at startup rather than doing it over and over like this.
- So you should be able to do a simple "includes" test on
config.excludeRequestHeadersafter you've normalized it.
There was a problem hiding this comment.
Oh, right! Good catch with the includes. Code refactored.
boutell
requested changes
Jan 2, 2025
lib/aposResponse.js
Outdated
| @@ -7,10 +7,12 @@ export default async function aposResponse(req) { | |||
| const aposUrl = new URL(url.pathname, aposHost); | |||
| aposUrl.search = url.search; | |||
|
|
|||
|
|
|||
| const excludedHeadersLower = new Set(config.excludeRequestHeaders?.map(h => h.toLowerCase()) || []); | |||
There was a problem hiding this comment.
Why not move this to top level code in this file so it doesn't have to happen on every request?
boutell
approved these changes
Jan 2, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Summarize the changes briefly, including which issue/ticket this resolves. If it closes an existing Github issue, include "Closes #[issue number]"
This PR refactors the handling of headers to allow for the excluding of the host header in single-site, multi-server instances. It also renames the header configuration arrays while maintaining backward compatibility.
What are the specific steps to test this change?
For example:
This has been tested in a Heroku two-server deployment. It has been tested in local dev deployment. It has not been tested in either Apostrophe hosting. It will be tested in multisite local deployment
What kind of change does this PR introduce?
(Check at least one)
Make sure the PR fulfills these requirements:
If adding a new feature without an already open issue, it's best to open a feature request issue first and wait for approval before working on it.
Other information: