From d9a20377f342308a4f1413b4db0020107009a48f Mon Sep 17 00:00:00 2001 From: Aaron Lehmann Date: Mon, 10 Aug 2015 14:20:52 -0700 Subject: [PATCH] Add a section to the config file for HTTP headers to add to responses The example configuration files add X-Content-Type-Options: nosniff. Add coverage in existing registry/handlers unit tests. Signed-off-by: Aaron Lehmann --- docs/handlers/api_test.go | 15 +++++++++++++++ docs/handlers/app.go | 6 ++++++ 2 files changed, 21 insertions(+) diff --git a/docs/handlers/api_test.go b/docs/handlers/api_test.go index c484835fd..0e192449b 100644 --- a/docs/handlers/api_test.go +++ b/docs/handlers/api_test.go @@ -30,6 +30,10 @@ import ( "golang.org/x/net/context" ) +var headerConfig = http.Header{ + "X-Content-Type-Options": []string{"nosniff"}, +} + // TestCheckAPI hits the base endpoint (/v2/) ensures we return the specified // 200 OK response. func TestCheckAPI(t *testing.T) { @@ -215,6 +219,7 @@ func TestURLPrefix(t *testing.T) { }, } config.HTTP.Prefix = "/test/" + config.HTTP.Headers = headerConfig env := newTestEnvWithConfig(t, &config) @@ -1009,6 +1014,8 @@ func newTestEnv(t *testing.T, deleteEnabled bool) *testEnv { }, } + config.HTTP.Headers = headerConfig + return newTestEnvWithConfig(t, &config) } @@ -1225,6 +1232,14 @@ func checkResponse(t *testing.T, msg string, resp *http.Response, expectedStatus t.FailNow() } + + // We expect the headers included in the configuration + if !reflect.DeepEqual(resp.Header["X-Content-Type-Options"], []string{"nosniff"}) { + t.Logf("missing or incorrect header X-Content-Type-Options %s", msg) + maybeDumpResponse(t, resp) + + t.FailNow() + } } // checkBodyHasErrorCodes ensures the body is an error body and has the diff --git a/docs/handlers/app.go b/docs/handlers/app.go index f60290d09..7b0fe6c2d 100644 --- a/docs/handlers/app.go +++ b/docs/handlers/app.go @@ -428,6 +428,12 @@ type dispatchFunc func(ctx *Context, r *http.Request) http.Handler // handler, using the dispatch factory function. func (app *App) dispatcher(dispatch dispatchFunc) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + for headerName, headerValues := range app.Config.HTTP.Headers { + for _, value := range headerValues { + w.Header().Add(headerName, value) + } + } + context := app.context(w, r) if err := app.authorized(w, r, context); err != nil {