Add baseline HTTP security headers to gateway responses#6906
Add baseline HTTP security headers to gateway responses#6906QuantumEdu wants to merge 1 commit intoopenclaw:mainfrom
Conversation
Apply four OWASP-recommended security headers to every HTTP response from the gateway server: - X-Content-Type-Options: nosniff (prevents MIME-sniffing) - X-Frame-Options: SAMEORIGIN (mitigates clickjacking) - Referrer-Policy: same-origin (limits referrer leakage) - Permissions-Policy: camera=(), microphone=(), geolocation=() Headers are set centrally in handleRequest() before routing, ensuring coverage across all endpoints (hooks, tools, OpenAI, Control UI, etc.). Addresses part of openclaw#6675. Co-Authored-By: Claude Opus 4.5 <[email protected]>
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Additional Comments (1)
Prompt To Fix With AIThis is a comment left during a code review.
Path: src/gateway/server-http.ts
Line: 238:244
Comment:
[P1] WebSocket upgrade path now skips all response header hardening.
`handleRequest()` returns early for `Upgrade: websocket`, so the baseline security headers won’t be applied to the 101 Switching Protocols handshake. If the intent is “every gateway response”, this is a gap for any WS clients (e.g., Control UI/web sockets) and is easy to miss because the function name/comment says “every response”.
How can I resolve this? If you propose a fix, please make it concise. |
thewilloftheshadow
force-pushed
the
main
branch
from
bfc1ccb to
f92900f
Compare
This comment was marked as spam.
This comment was marked as spam.
|
This pull request has been automatically marked as stale due to inactivity. |
|
Closing due to inactivity. |
2 participants
Summary
setSecurityHeaders()helper inhttp-common.tsthat applies four OWASP-recommended headers to every HTTP responsehandleRequest()inserver-http.ts, covering all gateway endpoints (hooks, tools, OpenAI, Control UI, etc.)Headers added
X-Content-Type-OptionsnosniffX-Frame-OptionsSAMEORIGINReferrer-Policysame-originPermissions-Policycamera=(), microphone=(), geolocation=()All four headers are additive and non-breaking. They follow the baseline set proposed in #6675.
Test plan
node dist/index.js gatewaycurl -sI http://localhost:18789/and verify all four headers are presentAddresses part of #6675.
Generated with Claude Code
Greptile Overview
Greptile Summary
This PR introduces a centralized
setSecurityHeaders()helper (src/gateway/http-common.ts) and invokes it near the top of the gateway HTTP request handler (src/gateway/server-http.ts) so that most gateway endpoints consistently emit a baseline set of OWASP-recommended response headers (nosniff, frame options, referrer policy, and a restrictive permissions policy). This aligns response hardening across the various HTTP handlers (hooks, tools, OpenAI/OpenResponses, Control UI, etc.) without having to duplicate header setting logic in each endpoint.Confidence Score: 4/5
(2/5) Greptile learns from your feedback when you react with thumbs up/down!