Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: enable secure header middleware by default #1601

Merged
merged 6 commits into from
Sep 2, 2024
Merged

Fix: enable secure header middleware by default #1601

merged 6 commits into from
Sep 2, 2024

Conversation

tadhglewis
Copy link
Member

Idk why we wouldn't have this?

As such, it's important that this middleware is only used under these circumstances:

  1. The app's domain does not mix HTTP and HTTPS.

  2. The response is an API response, i.e. it is not being directly rendered by the browser.

  3. The responses have an accurate Content-Type header.

https://github.com/seek-oss/koala/tree/master/src/secureHeaders

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Jul 2, 2024
edited
Loading

🦋 Changeset detected

Latest commit: caaece5

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@tadhglewis
Copy link
Member Author

Related: #1602

@tadhglewis tadhglewis marked this pull request as ready for review July 2, 2024 03:24
@tadhglewis tadhglewis requested a review from a team as a code owner July 2, 2024 03:24
@AaronMoat
Copy link
Contributor

Hoping for other opinions, but I don't mind the change. I'd like your thoughts on whether adding some form of warning / documentation linking is suitable here?

72636c
72636c reviewed Jul 19, 2024
View reviewed changes
template/koa-rest-api/src/framework/server.ts
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@etaoins do you have any thoughts as Koala BDFL?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't mind this either. This is the big one because it can break loading all HTTP resources hosted on the same domain:

The app's domain does not mix HTTP and HTTPS

However, that's become even less common in the 5 years since this documentation was written. The other caveats only have a local effect and would presumably be caught during testing.

AaronMoat
AaronMoat approved these changes Aug 10, 2024
View reviewed changes
Copy link
Contributor

@AaronMoat AaronMoat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a patch changeset, please?

template/koa-rest-api/src/framework/server.ts Show resolved Hide resolved
AaronMoat and others added 3 commits August 10, 2024 16:08
@tadhglewis tadhglewis merged commit 72e448d into main Sep 2, 2024
15 checks passed
@tadhglewis tadhglewis deleted the tadhglewis-patch-1 branch September 2, 2024 01:14
@seek-oss-ci seek-oss-ci mentioned this pull request Sep 2, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@72636c 72636c 72636c approved these changes

@AaronMoat AaronMoat AaronMoat approved these changes

@etaoins etaoins etaoins approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tadhglewis @AaronMoat @etaoins @72636c