Default asset canister headers

cryptoschindler · May 26, 2022, 8:13am

The security best practices name a few headers that should be set

Checking a normal asset canister deployed on the IC shows the above mentioned headers are missing. Can we add them to the asset caniater? I guess some of them need to be dynamically set according to the needs of the canister

@roman-kashitsyn

peterparker · May 26, 2022, 9:33am

Currently you cannot out of the box define HTTP headers options for the default assets canister.

github.com/dfinity/sdk

feat: http headers options for assets canisters

opened 06:07AM - 22 Oct 21 UTC

peterpeterparker

### Feature Description It should be possible to configure HTTP headers for U…RL patterns of the canisters assets in `dfx.json`. ### Use Case HTTP headers are useful to configure the behavior of the assets delivered to the browsers. `Cache-Control` is notably a must have to set the persistence policy of the web apps icons, images, fonts and other JS assets. In addition, Lighthouse displays the lack of such headers in errors. Not only performance are impacted but, missing headers can also have an influence on SEO ranking. ### Example - Firebase Google Firebase offers the ability to configure HTTP headers via their `firebase.json` config file (see [documentation](https://firebase.google.com/docs/hosting/full-config#headers)). In my app, I therefore define some headers as following which, I would like to also do with the IC: ``` { "hosting": { "public": "www", "ignore": ["firebase.json", "**/.*", "**/node_modules/**"], "rewrites": [ { "source": "**", "destination": "/index.html" } ], "headers": [ { "source": "assets/icons/**/*", "headers": [ { "key": "Access-Control-Allow-Origin", "value": "*" }, { "key": "Cache-Control", "value": "max-age=31536000" } ] }, { "source": "**/*.@(js|css)", "headers": [ { "key": "Cache-Control", "value": "max-age=31536000" } ] } ] } } ``` ### Misc I originally opened my question on the [forum](https://forum.dfinity.org/t/asset-canister-http-headers-cache-control-and-access-control-allow-origin/8048). ### Code The headers are currently hardcoded - there is no such option - in the [Rust Canister development kit](https://github.com/dfinity/cdk-rs/blob/43044af95a678e98bc70bdbb81b0ab49e35db728/src/ic-certified-assets/src/lib.rs#L500)

The doc you linked is indeed a bit misleading at the momment. II set headers on the http response because II uses its own asset canister. Therefore they were able to develop such a thing (Rust code source).

So one option currently is to fork the certified asset canister and to develop - set - your headers if you want the canister to set those information on HTTP response.

When it comes to the CSP, another option, what I do, is to add statically the CSP in your HTML pages.

The trade off is that you cannot set all CSP options. e.g. X-Frame-Options can only be set by the backend. Being said, you can set most of the CSP rules from the frontend too. I let you decide if you see the glass half empty or half full .

If you use Sveltkit as I do you can define the information in the svelte.config its quite handy (my CSP source for example).

mnl · May 26, 2022, 9:39am

@cryptoschindler Thanks for bringing this up! We’re currently working on that. Once done, it will be possible to set custom HTTP headers.

cryptoschindler · May 26, 2022, 1:43pm

Thanks for the response, very much looking forward to that and welcome to the forum are you following @peterparker 's recommendation for defining them in the dfx.json or what’s the plan?

cryptoschindler · May 26, 2022, 1:46pm

very helpful, thanks for the example code. luckily i’m using svelte as well

mnl · May 26, 2022, 1:57pm

Thanks !
The feature is currently in a design phase. dfx.json was the initial plan, but it currently pivoted to having a JSON config file inside assets directory, however it may also be a subject to change, and I’m not sure what’s the schedule for solidifying the design, but we’re getting there!

let4be · November 26, 2024, 1:12am

any update? is it still not possible to set custom headers in asset canister?
I’d like to get basic http auth going

Severin · November 26, 2024, 8:58am

It is now possible to set custom headers. Example. But the asset canister is simply a static file server. If you want to do HTTP auth then you need to implement something custom

Topic		Replies	Views
Asset canister: HTTP headers Cache-Control and Access-Control-Allow-Origin Developers	19	1794	June 26, 2023
Is there a way to configure DFX asset canister? Rust	1	17	November 26, 2024
Modifying NGINX Server Configuration of Canister Developers	2	513	September 28, 2021
Asset canister source code? Developers	11	2839	October 10, 2022
How can I get a json file hosted on the IC with JS in the browser? [Anonymous Dev Question] Developers	4	681	January 23, 2023

Default asset canister headers

Related topics