github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 02:41:24 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
b43aadc34cba3b3575aaa9dd15304842ca3f492f
openclaw/src/gateway/http-common.ts
Abdel Fane e955582c8f security: add baseline security headers to gateway HTTP responses (#10526) 
* security: add baseline security headers to gateway HTTP responses

All responses from the gateway HTTP server now include
X-Content-Type-Options: nosniff and Referrer-Policy: no-referrer.

These headers are applied early in handleRequest, before any
handler runs, ensuring coverage for every response including
error pages and 404s.

Headers that restrict framing (X-Frame-Options, CSP
frame-ancestors) are intentionally omitted at this global level
because the canvas host and A2UI handlers serve content that may
be loaded inside frames.

* fix: apply security headers before WebSocket upgrade check

Move setDefaultSecurityHeaders() above the WebSocket early-return so
the headers are set on every HTTP response path including upgrades.

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-02-19 03:28:24 -08:00

101 lines
3.1 KiB
TypeScript
Raw Blame History

import type { IncomingMessage, ServerResponse } from "node:http";
import type { GatewayAuthResult } from "./auth.js";
import { readJsonBody } from "./hooks.js";
/**
* Apply baseline security headers that are safe for all response types (API JSON,
* HTML pages, static assets, SSE streams). Headers that restrict framing or set a
* Content-Security-Policy are intentionally omitted here because some handlers
* (canvas host, A2UI) serve content that may be loaded inside frames.
*/
export function setDefaultSecurityHeaders(res: ServerResponse) {
res.setHeader("X-Content-Type-Options", "nosniff");
res.setHeader("Referrer-Policy", "no-referrer");
}
export function sendJson(res: ServerResponse, status: number, body: unknown) {
res.statusCode = status;
res.setHeader("Content-Type", "application/json; charset=utf-8");
res.end(JSON.stringify(body));
}
export function sendText(res: ServerResponse, status: number, body: string) {
res.statusCode = status;
res.setHeader("Content-Type", "text/plain; charset=utf-8");
res.end(body);
}
export function sendMethodNotAllowed(res: ServerResponse, allow = "POST") {
res.setHeader("Allow", allow);
sendText(res, 405, "Method Not Allowed");
}
export function sendUnauthorized(res: ServerResponse) {
sendJson(res, 401, {
error: { message: "Unauthorized", type: "unauthorized" },
});
}
export function sendRateLimited(res: ServerResponse, retryAfterMs?: number) {
if (retryAfterMs && retryAfterMs > 0) {
res.setHeader("Retry-After", String(Math.ceil(retryAfterMs / 1000)));
}
sendJson(res, 429, {
error: {
message: "Too many failed authentication attempts. Please try again later.",
type: "rate_limited",
},
});
}
export function sendGatewayAuthFailure(res: ServerResponse, authResult: GatewayAuthResult) {
if (authResult.rateLimited) {
sendRateLimited(res, authResult.retryAfterMs);
return;
}
sendUnauthorized(res);
}
export function sendInvalidRequest(res: ServerResponse, message: string) {
sendJson(res, 400, {
error: { message, type: "invalid_request_error" },
});
}
export async function readJsonBodyOrError(
req: IncomingMessage,
res: ServerResponse,
maxBytes: number,
): Promise<unknown> {
const body = await readJsonBody(req, maxBytes);
if (!body.ok) {
if (body.error === "payload too large") {
sendJson(res, 413, {
error: { message: "Payload too large", type: "invalid_request_error" },
});
return undefined;
}
if (body.error === "request body timeout") {
sendJson(res, 408, {
error: { message: "Request body timeout", type: "invalid_request_error" },
});
return undefined;
}
sendInvalidRequest(res, body.error);
return undefined;
}
return body.value;
}
export function writeDone(res: ServerResponse) {
res.write("data: [DONE]\n\n");
}
export function setSseHeaders(res: ServerResponse) {
res.statusCode = 200;
res.setHeader("Content-Type", "text/event-stream; charset=utf-8");
res.setHeader("Cache-Control", "no-cache");
res.setHeader("Connection", "keep-alive");
res.flushHeaders?.();
}
Reference in New Issue View Git Blame Copy Permalink