From 8a4bda8d577904febb707e7d3eb31274c08155c5 Mon Sep 17 00:00:00 2001 From: Fabian Reinartz Date: Tue, 12 Jun 2018 08:59:13 -0400 Subject: [PATCH] web: remove security headers Signed-off-by: Fabian Reinartz --- web/web.go | 15 +-------------- web/web_test.go | 48 ------------------------------------------------ 2 files changed, 1 insertion(+), 62 deletions(-) diff --git a/web/web.go b/web/web.go index 4e671e5ce..d50ebe889 100644 --- a/web/web.go +++ b/web/web.go @@ -71,17 +71,6 @@ import ( var localhostRepresentations = []string{"127.0.0.1", "localhost"} -// secureHeadersMiddleware adds common HTTP security headers to responses. -func secureHeadersMiddleware(h http.Handler) http.Handler { - return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - w.Header().Add("X-XSS-Protection", "1; mode=block") - w.Header().Add("X-Content-Type-Options", "nosniff") - w.Header().Add("X-Frame-Options", "SAMEORIGIN") - w.Header().Add("Content-Security-Policy", "frame-ancestors 'self'") - h.ServeHTTP(w, r) - }) -} - var ( requestDuration = prometheus.NewHistogramVec( prometheus.HistogramOpts{ @@ -489,10 +478,8 @@ func (h *Handler) Run(ctx context.Context) error { errlog := stdlog.New(log.NewStdlibAdapter(level.Error(h.logger)), "", 0) - withSecureHeaders := nethttp.Middleware(opentracing.GlobalTracer(), secureHeadersMiddleware(mux), operationName) - httpSrv := &http.Server{ - Handler: withSecureHeaders, + Handler: nethttp.Middleware(opentracing.GlobalTracer(), mux, operationName), ErrorLog: errlog, ReadTimeout: h.options.ReadTimeout, } diff --git a/web/web_test.go b/web/web_test.go index 359a65073..d94f85c7e 100644 --- a/web/web_test.go +++ b/web/web_test.go @@ -83,54 +83,6 @@ func TestGlobalURL(t *testing.T) { } } -func TestEndpointHeaders(t *testing.T) { - t.Parallel() - dbDir, err := ioutil.TempDir("", "tsdb-ready") - - testutil.Ok(t, err) - - defer os.RemoveAll(dbDir) - - db, err := libtsdb.Open(dbDir, nil, nil, nil) - - testutil.Ok(t, err) - - opts := &Options{ - ListenAddress: ":9095", - ReadTimeout: 30 * time.Second, - MaxConnections: 512, - Context: nil, - Storage: &tsdb.ReadyStorage{}, - QueryEngine: nil, - RuleManager: nil, - Notifier: nil, - RoutePrefix: "/", - EnableAdminAPI: true, - TSDB: func() *libtsdb.DB { return db }, - } - - opts.Flags = map[string]string{} - - webHandler := New(nil, opts) - go func() { - err := webHandler.Run(context.Background()) - if err != nil { - panic(fmt.Sprintf("Can't start webhandler error %s", err)) - } - }() - - time.Sleep(5 * time.Second) - - resp, err := http.Get("http://localhost:9095/version") - - testutil.Ok(t, err) - testutil.Equals(t, "1; mode=block", resp.Header.Get("X-XSS-Protection")) - testutil.Equals(t, "nosniff", resp.Header.Get("X-Content-Type-Options")) - testutil.Equals(t, "SAMEORIGIN", resp.Header.Get("X-Frame-Options")) - testutil.Equals(t, "frame-ancestors 'self'", resp.Header.Get("Content-Security-Policy")) - -} - func TestReadyAndHealthy(t *testing.T) { t.Parallel() dbDir, err := ioutil.TempDir("", "tsdb-ready")