Merge pull request #4258 from prometheus/rmsecheaders

web: remove security headers
2024-12-26 22:19:40 -08:00 · 2018-06-12 16:21:35 +02:00 · 2018-06-12 16:21:35 +02:00 · 7a74689973
parent 0e5e7f75cd 8a4bda8d57
commit 7a74689973
2 changed files with 1 additions and 62 deletions
--- a/web/web.go
+++ b/web/web.go
@ -71,17 +71,6 @@ import (
 var localhostRepresentations = []string{"127.0.0.1", "localhost"}
 // secureHeadersMiddleware adds common HTTP security headers to responses.
 func secureHeadersMiddleware(h http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Add("X-XSS-Protection", "1; mode=block")
 		w.Header().Add("X-Content-Type-Options", "nosniff")
 		w.Header().Add("X-Frame-Options", "SAMEORIGIN")
 		w.Header().Add("Content-Security-Policy", "frame-ancestors 'self'")
 		h.ServeHTTP(w, r)
 	})
 }
 var (
 	requestDuration = prometheus.NewHistogramVec(
 		prometheus.HistogramOpts{
@ -489,10 +478,8 @@ func (h *Handler) Run(ctx context.Context) error {
 	errlog := stdlog.New(log.NewStdlibAdapter(level.Error(h.logger)), "", 0)
 	withSecureHeaders := nethttp.Middleware(opentracing.GlobalTracer(), secureHeadersMiddleware(mux), operationName)
 	httpSrv := &http.Server{
-		Handler:     withSecureHeaders,
+		Handler:     nethttp.Middleware(opentracing.GlobalTracer(), mux, operationName),
 		ErrorLog:    errlog,
 		ReadTimeout: h.options.ReadTimeout,
 	}
--- a/web/web_test.go
+++ b/web/web_test.go
@ -83,54 +83,6 @@ func TestGlobalURL(t *testing.T) {
 	}
 }
 func TestEndpointHeaders(t *testing.T) {
 	t.Parallel()
 	dbDir, err := ioutil.TempDir("", "tsdb-ready")
 	testutil.Ok(t, err)
 	defer os.RemoveAll(dbDir)
 	db, err := libtsdb.Open(dbDir, nil, nil, nil)
 	testutil.Ok(t, err)
 	opts := &Options{
 		ListenAddress:  ":9095",
 		ReadTimeout:    30 * time.Second,
 		MaxConnections: 512,
 		Context:        nil,
 		Storage:        &tsdb.ReadyStorage{},
 		QueryEngine:    nil,
 		RuleManager:    nil,
 		Notifier:       nil,
 		RoutePrefix:    "/",
 		EnableAdminAPI: true,
 		TSDB:           func() *libtsdb.DB { return db },
 	}
 	opts.Flags = map[string]string{}
 	webHandler := New(nil, opts)
 	go func() {
 		err := webHandler.Run(context.Background())
 		if err != nil {
 			panic(fmt.Sprintf("Can't start webhandler error %s", err))
 		}
 	}()
 	time.Sleep(5 * time.Second)
 	resp, err := http.Get("http://localhost:9095/version")
 	testutil.Ok(t, err)
 	testutil.Equals(t, "1; mode=block", resp.Header.Get("X-XSS-Protection"))
 	testutil.Equals(t, "nosniff", resp.Header.Get("X-Content-Type-Options"))
 	testutil.Equals(t, "SAMEORIGIN", resp.Header.Get("X-Frame-Options"))
 	testutil.Equals(t, "frame-ancestors 'self'", resp.Header.Get("Content-Security-Policy"))
 }
 func TestReadyAndHealthy(t *testing.T) {
 	t.Parallel()
 	dbDir, err := ioutil.TempDir("", "tsdb-ready")