Default asset canister headers

The security best practices name a few headers that should be set

Checking a normal asset canister deployed on the IC shows the above mentioned headers are missing. Can we add them to the asset caniater? I guess some of them need to be dynamically set according to the needs of the canister :thinking:


Currently you cannot out of the box define HTTP headers options for the default assets canister.

The doc you linked is indeed a bit misleading at the momment. II set headers on the http response because II uses its own asset canister. Therefore they were able to develop such a thing (Rust code source).

So one option currently is to fork the certified asset canister and to develop - set - your headers if you want the canister to set those information on HTTP response.

When it comes to the CSP, another option, what I do, is to add statically the CSP in your HTML pages.

The trade off is that you cannot set all CSP options. e.g. X-Frame-Options can only be set by the backend. Being said, you can set most of the CSP rules from the frontend too. I let you decide if you see the glass half empty or half full :wink:.

If you use Sveltkit as I do you can define the information in the svelte.config its quite handy (my CSP source for example).

1 Like

@cryptoschindler Thanks for bringing this up! We’re currently working on that. Once done, it will be possible to set custom HTTP headers.

1 Like

Thanks for the response, very much looking forward to that and welcome to the forum :slight_smile: are you following @peterparker 's recommendation for defining them in the dfx.json or what’s the plan?

very helpful, thanks for the example code. luckily i’m using svelte as well :smiley:

1 Like

Thanks :slight_smile: !
The feature is currently in a design phase. dfx.json was the initial plan, but it currently pivoted to having a JSON config file inside assets directory, however it may also be a subject to change, and I’m not sure what’s the schedule for solidifying the design, but we’re getting there!

1 Like