Update Content-Type behavior #86
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ration in BOSH job
bengerman13
approved these changes
Jun 25, 2024
This was referenced Jun 26, 2024
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes Proposed
Related to #81
The discussion in #81 highlights a potential bug in this proxy: it always adds a default
Content-Typeheader to the response, even in cases like HTTP 204/304 responses which have no response body and thus for which aContent-Typeheader is inappropriate.This PR updates the Nginx configuration to only set a default
Content-Typeheader when the response status code is not 204 or 304.The PR also adds some Docker configuration for running OpenResty with a basic Node app to make local testing much easier.
Security Considerations
It seems like adding a
Content-Typeheader was done to resolve a POAM: cloud-gov/product#540At the same time, it seems like the
Content-Typeheader itself may have been an afterthought: #6But for 204/304 responses where no response body is expected, I don't see how adding a
Content-Typeheader is ever appropriate.