Project

General

Profile

[Solved] Adding header to response if it does not exist yet

Added by kangaroo over 4 years ago

Hi

I have a configuration where lighttpd is serving some sites ("vHosts") and (reverse) proxying others. I would like to set for example an

X-Frame-Options: SAMEORIGIN

header for all pages lighttpd serves.

I have done this along the line of the following idea

$SERVER["socket"] == "0.0.0.0:443" {
    ...
    setenv.add-response-header += (
    "X-Frame-Options" => "SAMEORIGIN",
    )

which is working/doing the right thing if there is NO "X-Frame-Options" header in the response.

However, if there already is such a header (which seems to be the case for a proxied application for example), I end up with a duplicate header in the response. And if the application sets a different value for the header, the resulting response has them both.

So I tried using "setenv.set-response-header" ("set" instead of "add") which eliminates the duplicate but overrides the header value the application set "earlier". So if the app for example sets "X-Frame-Options: DENY", I still see a "X-Frame-Options: SAMEORIGIN" in the final response.

Is there a way to have lighttpd only set a header if it is not present? Or is there a better way to achieve my goal?

I am running lighttpd 1.4.54 on FreeBSD 12.1.


Replies (2)

RE: Adding header to response if it does not exist yet - Added by gstrauss over 4 years ago

As you have noted setenv.add-response-header adds (or appends), and setenv.set-response-header sets (overrides) a header.

Is there a way to have lighttpd only set a header if it is not present? Or is there a better way to achieve my goal?

If your do not want lighttpd to add the header for requests served by the backend, then create a condition in the lighttpd config for things that are sent to the backend, and then create an "else" clause which has setenv.set-response-header to set the header (on those requests which did not get sent to the backend)

RE: Adding header to response if it does not exist yet - Added by kangaroo over 4 years ago

Thank you for this input. It turns out that it is exactly what I need: as I am forwarding complete subdomain(s) to the backends it is pretty straight forward to implement the if/else.

$SERVER["socket"] == "0.0.0.0:443" {
    ...
    $HTTP["host"] !~ "^sub.example.com$" {
        setenv.set-response-header += (
            "X-Frame-Options" => "SAMEORIGIN",
            "Strict-Transport-Security" => "max-age=15552000; includeSubDomains; preload",
        )
    }
    else {
        setenv.set-response-header += (
            "Strict-Transport-Security" => "max-age=15552000; includeSubDomains; preload",
        )
    }
    ...
}
    (1-2/2)