Custom headers

adam · August 8, 2023, 2:14am

Following up on a chat with @rick on IRC, I’m capturing a feature request to support custom HTTP headers.

rick · August 8, 2023, 2:41am

appreciate it @adam, thanks!

rick · August 8, 2023, 4:54am

just for clarity, my original request was about “security headers”. You can read more about what I usually set for static sites in this gist:

gist.github.com

https://gist.github.com/RickCogley/f85b981021d94a3af10d73a87d1a62aa

1. Readme.md

This set of "low-hanging fruit" security headers can be set for most websites to cover a range or potential problems and get a better ranking on https://securityheaders.com/. You should not that this _does not cover_ CORS/CSP headers, because they are not "one size fits all" and require trial and error to set. Among these standard headers, the "Permissions-Policy" (previously "Feature-Policy") header requires a bit of thought, and trial and error, so be sure to review and edit as appropriate. 

Generally speaking, although you can set some of these directly in HTML, you usually set security headers on the server side, for example in a `.htaccess` file on Apache, in a file like `vercel.json` in the root of your site if you're hosting on Vercel (similar for Netlify iirc), or under "web rules, header rules" UI if you're hosting on WP Engine (see screenshot). 

It's also super simple to implement a static HTML site deployed on Deno Deploy, and served via Deno Oak. See the single, simple `index.ts` file below for an example of that, assuming your HTML files are in `/html` in your project. 

You can reference MDN for good information on these headers: 

* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

This file has been truncated. show original

2. sample-security-headers.json

"headers":[
        {
          "key": "Strict-Transport-Security",
          "value": "max-age=63072000; includeSubDomains; preload"
        },
        {
          "key": "Access-Control-Allow-Origin",
          "value": "*"
        },
        {

This file has been truncated. show original

3. index.ts

import { Application } from "https://deno.land/x/oak/mod.ts";

const app = new Application();

// Logger
app.use(async (ctx, next) => {
  await next();
  const rt = ctx.response.headers.get("X-Response-Time");
  console.log(`${ctx.request.method} ${ctx.request.url} - ${rt}`);
});

This file has been truncated. show original

There are more than three files. show original

pimoore · September 24, 2023, 12:56am

I was just going to make a feature request about security headers, but found this thread in the search. Adding these would be super beneficial, as testing my weblog comes back with a D rating over at securityheaders.com.

adam · September 24, 2023, 3:00am

It shouldn’t be too much longer before we’ll have custom header controls for both omg.lol profile pages and weblog.lol. I did make a couple of small (and hopefully safe) global updates just now, which should earn you an “A” on securityheaders.com — though it’s admittedly not a well-deserved grade because the CSP is super lenient. As a global policy for 4,000+ omg.lol profile pages, it kind of has to be (since all kinds of folks have all kinds of stuff going on with their profile pages). The other issue is that I can’t enable the X-Frame-Options header since there’s no explicit valid “allow” option (only directives for denying in general or when not on the same origin) and we do have members who display their omg.lol pages in frames on other sites.

Once everyone can define their own headers, though, the freedom and flexibility to be as restrictive or permissive in various security policies will be in everyone’s individual hands. Stay tuned!

pimoore · September 24, 2023, 3:31am

That’s a really good point about the CSP, and from my ~~reading~~ geeking out is a difficult beast to get correct. Just having an A rating is a huge deal, so thanks for implementing this!

c0nfigurati0n · October 17, 2023, 2:02am

@adam any updates?

adam · October 17, 2023, 1:49pm

Not yet. Will try to get this in soon!