Gatsby: [gatsby-plugin-netlify] Overwrite headers

Created on 10 Sep 2018  Â·  13Comments  Â·  Source: gatsbyjs/gatsby

Description

I was trying to override the X-Frame-Options: DENY-header the plugin sets for all pages to enable a headless CMS to embed our page in an iframe.

Steps to reproduce

Taken from https://github.com/BILDQUADRAT/website.

Set headers like this:
gatsby-config.js: 

module.exports = {
  plugins: [
    // ..
    {
      resolve: 'gatsby-plugin-netlify',
      options: {
        headers: {
          '/*': [
            "Content-Security-Policy: frame-ancestors 'self' https://*.storyblok.com/",
            "X-Frame-Options: ALLOW-FROM https://app.storyblok.com/",
          ]
        },
        mergeSecurityHeaders: true,
      }
    },
    // ...
  ],
}

Expected result

I'd end up with a _headers file like this:

## Created with gatsby-plugin-netlify

/*
  Content-Security-Policy: frame-ancestors 'self' https://*.storyblok.com/
  X-Frame-Options: ALLOW-FROM https://app.storyblok.com/
  X-XSS-Protection: 1; mode=block
  X-Content-Type-Options: nosniff

...

Actual result

I get a _headers file like this:

## Created with gatsby-plugin-netlify

/*
  Content-Security-Policy: frame-ancestors 'self' https://*.storyblok.com/
  X-Frame-Options: ALLOW-FROM https://app.storyblok.com/
  X-Frame-Options: DENY
  X-XSS-Protection: 1; mode=block
  X-Content-Type-Options: nosniff

...

The transformHeaders-function allowed me to reach my desired result, but it's not a very elegant solution.

Environment

  System:
    OS: macOS High Sierra 10.13.6
    CPU: x64 Intel(R) Core(TM) i7-4870HQ CPU @ 2.50GHz
    Shell: 5.3 - /bin/zsh
  Binaries:
    Node: 8.11.4 - /usr/local/opt/node@8/bin/node
    Yarn: 1.9.4 - /usr/local/bin/yarn
    npm: 5.6.0 - /usr/local/opt/node@8/bin/npm
  Browsers:
    Chrome: 69.0.3497.81
    Firefox: 61.0.2
    Safari: 11.1.2
  npmPackages:
    gatsby: ^2.0.0-rc.15 => 2.0.0-rc.15 
    gatsby-plugin-netlify: ^2.0.0-rc.2 => 2.0.0-rc.2 
    gatsby-plugin-netlify-cache: ^0.1.0 => 0.1.0 
    gatsby-plugin-react-helmet: ^3.0.0-rc.1 => 3.0.0-rc.1 
    gatsby-plugin-sass: ^2.0.0-rc.2 => 2.0.0-rc.2 
    gatsby-plugin-typescript: ^2.0.0-rc.5 => 2.0.0-rc.5 
    gatsby-source-storyblok: ^0.1.1 => 0.1.1
question or discussion
Source
picture NeoLegends

All 13 comments

Hi @NeoLegends, you can remove the default security headers by passing mergeSecurityHeaders as false and add the ones you need in headers.

kakadiadarpan picture kakadiadarpan on 10 Sep 2018

Ah, I was thinking the opposite. mergeSecurityHeaders implies that it will do the merge for me. Might wanna rename that. :)

Am 10.09.2018 um 13:51 schrieb Darpan Kakadia notifications@github.com:

Closed #8020.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

NeoLegends picture NeoLegends on 10 Sep 2018

@NeoLegends doesn't it implies that if it's value is true it will merge the given security headers with default headers otherwise, it just takes what you provide to it?

kakadiadarpan picture kakadiadarpan on 14 Sep 2018

I thought it would overwrite the defaults with my config values.

NeoLegends picture NeoLegends on 14 Sep 2018

I know this is closed, but I spent some time on this as well. This is a not a merge but more of a "concat" of headers if you ask me. It doesn't feel intuitive as it currently stands. Are you open for changes on this?

grumpyoldman-io picture grumpyoldman-io on 11 Jun 2019
👀1 👍1

would also expect to be able to override default security headers

slorber picture slorber on 9 Jul 2019
👍1

I have also just run into this. Felt more intuitive that setting a value and merging would override the default, not create a duplicate

Jwrighty picture Jwrighty on 25 Jul 2019
👍1

Just ran into this too, the current behavior is indeed an append and not a merge as it should be.
I can make a PR if you think it should be modified?

antoinerousseau picture antoinerousseau on 9 Sep 2019

@antoinerousseau That does make sense. Happy to accept a PR!

sidharthachatterjee picture sidharthachatterjee on 10 Sep 2019
👍1

@sidharthachatterjee https://github.com/gatsbyjs/gatsby/pull/17538 \o/

antoinerousseau picture antoinerousseau on 10 Sep 2019
🎉1

@NeoLegends have you figured out a solution for this? I am getting an error
Refused to display 'https://public.tableau.com/ in a frame because it set 'X-Frame-Options' to 'sameorigin'.

arhoy picture arhoy on 23 Feb 2020

I have the following in my config and trying to allow anything with the root URL public.tableau.com

   {
      resolve: 'gatsby-plugin-netlify',
      options: {
        headers: {
          '/*': ['X-Frame-Options: ALLOW-FROM https://public.tableau.com/'],
        },
        mergeSecurityHeaders: false,
      },
    }

However, I am still getting the same error and not sure if my set up is correct.

arhoy picture arhoy on 23 Feb 2020

curl -I https://public.tableau.com/ does not show any X-Frame headers.
What do you have in _headers after running gatsby build?
You might need to tweak your CloudFront setup (I see X-Amz-Cf-* headers) as it might not be passing them from Netlify.

antoinerousseau picture antoinerousseau on 27 Feb 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Oppenheimer1 picture Oppenheimer1  Â·  3Comments
brandonmp picture brandonmp  Â·  3Comments
KyleAMathews picture KyleAMathews  Â·  3Comments
dustinhorton picture dustinhorton  Â·  3Comments
signalwerk picture signalwerk  Â·  3Comments