only add Content-Type header when respnose body is present (#82)

* update Nginx configuration to only add Content-Type header when response body is present * add condition to only add content-type header if response body is not 0 in HTTPS server block * update nginx configuration to use Lua block to conditionally set Content-Type header
cloud-gov · Jun 20, 2024 · b43867b · b43867b
1 parent af7e987
commit b43867b
Showing 1 changed file with 17 additions and 3 deletions.
diff --git a/jobs/secureproxy/templates/config/nginx.conf.erb b/jobs/secureproxy/templates/config/nginx.conf.erb
@@ -179,7 +179,6 @@ http {
       add_header Strict-Transport-Security $sts always;
       add_header X-Content-Type-Options $content_type_options always;
       add_header X-XSS-Protection $xss_protection always;
-      add_header Content-Type $default_content_type always;
 
       # Clear X-Frame-Options before setting so that ALLOWALL is cleared if set
       more_clear_headers X-Frame-Options;
@@ -195,6 +194,14 @@ http {
       ##
 
       access_by_lua_block {
+        # Don't add a `Content-Type` header if the response length is 0,
+        # e.g. 204/304 status codes
+        if ngx.var.upstream_response_length > 0 then
+          ngx.req.set_header("Content-Type", ngx.var.default_content_type)
+        else
+          ngx.log(ngx.NOTICE, "Content-Type header not added for host ", ngx.var.host, "and request URI ", ngx.var.request_uri , "with a response body length of 0")
+        end
+
         -- bail fast if we don't have a whitelist
         if ip_whitelist_size == 0 then
           return
@@ -279,8 +286,7 @@ server {
     add_header Strict-Transport-Security $sts always;
     add_header X-Content-Type-Options $content_type_options always;
     add_header X-XSS-Protection $xss_protection always;
-    add_header Content-Type $default_content_type always;
-
+
     # Clear X-Frame-Options before setting so that ALLOWALL is cleared if set
     more_clear_headers X-Frame-Options;
     more_set_headers "X-Frame-Options: $frame_options";
@@ -295,6 +301,14 @@ server {
     ##
 
     access_by_lua_block {
+      # Don't add a `Content-Type` header if the response length is 0,
+      # e.g. 204/304 status codes
+      if ngx.var.upstream_response_length > 0 then
+        ngx.req.set_header("Content-Type", ngx.var.default_content_type)
+      else
+        ngx.log(ngx.NOTICE, "Content-Type header not added for host ", ngx.var.host, "and request URI ", ngx.var.request_uri , "with a response body length of 0")
+      end
+
       -- bail fast if we don't have a whitelist
       if ip_whitelist_size == 0 then
         return