feat: Add security headers #58
Conversation
channelserver/src/main.rs
Outdated
| fn cspreport( | ||
| req: &HttpRequest<session::WsChannelSessionState>, | ||
| ) -> Box<Future<Item = HttpResponse, Error = Error>> { | ||
| use std::str; |
There was a problem hiding this comment.
Heh, I was honestly wondering if I should put all the SecOps calls into their own file so that we could drop them in place in the future.
I think if I get to that point, though, it's probably worth just packaging them up properly.
| @@ -94,6 +98,7 @@ fn channel_route(req: &HttpRequest<session::WsChannelSessionState>) -> Result<Ht | |||
| "remote_ip" => &meta_info.remote | |||
| ); | |||
|
|
|||
| // Cannot apply headers here. | |||
There was a problem hiding this comment.
ws::start returns an HttpResponse so you probably could? -- assuming you'd even want to. I don't think the foxsec headers are terribly important there but probably wouldn't hurt the ws handshake either.
If you're fine w/ injecting those headers into every response, actix_web's DefaultHeaders middleware provides an easier way (this fn add_headers works for me but if applicable, the middleware might be a nice refactor for later)
There was a problem hiding this comment.
Looking into the code, I don't think I can, or at least, not without some weird surgery. The problem is that ws::start generates the HttpResponse and then posts it independently. So I can't append the headers before it's sent out.
I didn't think about the DefaultHeader middleware, and yeah, these are fairly universal. I'll do the refactor later since I want to address a few things about that. Thanks!
Issue #19