Merge pull request #846 from aaronlehmann/http-header-configuration

Add a section to the config file for HTTP headers to add to responses

docs/handlers/api_test.go

@@ -30,6 +30,10 @@ import (
 	"golang.org/x/net/context"
 )
 
+var headerConfig = http.Header{
+	"X-Content-Type-Options": []string{"nosniff"},
+}
+
 // TestCheckAPI hits the base endpoint (/v2/) ensures we return the specified
 // 200 OK response.
 func TestCheckAPI(t *testing.T) {
@@ -215,6 +219,7 @@ func TestURLPrefix(t *testing.T) {
 		},
 	}
 	config.HTTP.Prefix = "/test/"
+	config.HTTP.Headers = headerConfig
 
 	env := newTestEnvWithConfig(t, &config)
 
@@ -1024,6 +1029,8 @@ func newTestEnv(t *testing.T, deleteEnabled bool) *testEnv {
 		},
 	}
 
+	config.HTTP.Headers = headerConfig
+
 	return newTestEnvWithConfig(t, &config)
 }
 
@@ -1240,6 +1247,14 @@ func checkResponse(t *testing.T, msg string, resp *http.Response, expectedStatus
 
 		t.FailNow()
 	}
+
+	// We expect the headers included in the configuration
+	if !reflect.DeepEqual(resp.Header["X-Content-Type-Options"], []string{"nosniff"}) {
+		t.Logf("missing or incorrect header X-Content-Type-Options %s", msg)
+		maybeDumpResponse(t, resp)
+
+		t.FailNow()
+	}
 }
 
 // checkBodyHasErrorCodes ensures the body is an error body and has the

docs/handlers/app.go

@@ -443,6 +443,12 @@ type dispatchFunc func(ctx *Context, r *http.Request) http.Handler
 // handler, using the dispatch factory function.
 func (app *App) dispatcher(dispatch dispatchFunc) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		for headerName, headerValues := range app.Config.HTTP.Headers {
+			for _, value := range headerValues {
+				w.Header().Add(headerName, value)
+			}
+		}
+
 		context := app.context(w, r)
 
 		if err := app.authorized(w, r, context); err != nil {