Headers applied to GET only? #217
-
|
Looking at code Strict-Transport-Security header etc.
Is it intended, or is it a bug? I see related #82 for this change (change to apply "all GET" instead of "any page request"), but don't see a reason to not include security headers for other HTTP methods. |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments
-
|
Hello @lanorkin, There was a point in time where the module was altered to apply the CSP to all GET routes instead of just to routes which covered a Content Page route. This change was made to ensure that the CSP was also applied to the Editor and Admin interface. As the initial page load already instructs the browser for the CSP and the browser would cache the Strict-Transport-Security header, this was switched to a GET method check. In retrospect, with the other headers in mind (and recent caching and performance boosts) it may be prudent to change this to apply for both GET and POST methods on the basis that you may reach a content page on a POST method just as easily as a GET page. It may also be prudent to apply this to any HTTP Method if your Controller Actions do not have the specific methods restricted. If you agree with the proposed change to apply this for all HTTP methods, I'll promote this to a bug and make the necessary changes. Regards, |
Beta Was this translation helpful? Give feedback.
-
|
Hi @GeekInTheNorth yes, I think then in this case it should be a bug to fix - I think it is fair expectation to see security headers for all the methods. Thanks a lot! |
Beta Was this translation helpful? Give feedback.
-
|
Hello @lanorkin I've raised this now as #218 I have some other amends mid flight which are not ready for release yet, so I'll tackle this one as if it were a hotfix and release it separately when it's done. I'll let you know when it's on the NuGet feeds. |
Beta Was this translation helpful? Give feedback.
-
|
Released in Release 2.7.0, see #228 |
Beta Was this translation helpful? Give feedback.
Hello @lanorkin
I've raised this now as #218
I have some other amends mid flight which are not ready for release yet, so I'll tackle this one as if it were a hotfix and release it separately when it's done. I'll let you know when it's on the NuGet feeds.