Edgewall Software

Opened 6 years ago

Last modified 6 years ago

#12964 closed enhancement

Make HTTP headers configurable — at Version 2

Reported by: Ryan J Ollos Owned by: Ryan J Ollos
Priority: normal Milestone: 1.2.3
Component: web frontend Version:
Severity: normal Keywords:
Cc: Branch:
Release Notes:

Request headers are configurable through the [http-headers] section of trac.ini.

API Changes:
Internal Changes:

Description (last modified by Ryan J Ollos)

Discused in gmessage:trac-dev:gDPzxZEo8v0/VMPI57jNCQAJ.

  1. Check whether http header name is valid like [trac] xsendfile_header option.
  2. Check whether http header value is valid (the value cannot contain control characters except TAB and SPACE).
  3. Ignore some headers, e.g. Content-Type, Content-Length, Location, ETag, Pragma, Cache-Control, Expires.
  4. Send configured headers for all send_* methods included send_error().

Change History (2)

comment:1 by Ryan J Ollos, 6 years ago

Owner: set to Ryan J Ollos
Status: newassigned

comment:2 by Ryan J Ollos, 6 years ago

Description: modified (diff)
Release Notes: modified (diff)

Do we want to configure any default values for [http-headers]? Is the following suggested?: 

[http-headers]
Content-Security-Policy = frame-ancestors 'self'; default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; base-uri 'self'
Referrer-Policy = same-origin
X-Frame-Options = SAMEORIGIN
X-Content-Type-Options = nosniff
X-XSS-Protection = 1; mode=block
Note: See TracTickets for help on using tickets.