Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow official sec- headers to the final application. #103

Open
edevosc2c opened this issue Feb 16, 2024 · 0 comments
Open

Allow official sec- headers to the final application. #103

edevosc2c opened this issue Feb 16, 2024 · 0 comments
Labels
enhancement New feature or request gardening

Comments

@edevosc2c
Copy link
Member

The gateway is removing all the sec- headers before passing them to the final application: https://github.com/georchestra/georchestra-gateway/blob/main/gateway/src/main/java/org/georchestra/gateway/filter/headers/RemoveSecurityHeadersGatewayFilterFactory.java#L50

This may not be desired because there are many official sec- headers useful for the applications, here is a list from MDN: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Dest

I think we should modify the regex and whitelist the official sec- headers.

@edevosc2c edevosc2c added enhancement New feature or request gardening labels Feb 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request gardening
Projects
None yet
Development

No branches or pull requests

1 participant