Fork me on GitHub
#duct
<
2018-05-24
>
lambder11:05:38

How do I remove:

:security {:content-type-options :nosniff}
?

lambder11:05:53

from :duct.middleware.web/defaults

lambder11:05:30

setting : :security {:content-type-options nil} is not forcing the config merge to dissoc the value.

weavejester11:05:36

Curious that doesn’t work. Can you report it as a bug, @lambder?

weavejester11:05:38

As a workaround, you should be able to write:

:duct.middleware.web/defaults
{:security ^:replace {:anti-forgery true
                      :xss-protection {:enable? true, :mode :block}
                      :frame-options :sameorigin}}

jahson12:05:16

Is there any way to put middleware to the top of :middleware other than replacing whole :middleware vector?

weavejester12:05:18

Yes, you can use ^:prepend

weavejester12:05:45

But for more complex stuff you currently have to replace the :middleware vector

jahson12:05:38

But I should, probably, use ^:append to make my middleware execute first?

weavejester12:05:12

Append is the default when you merge, so you can forgo it in that case.

weavejester12:05:25

It depends whether you want your middleware to be inside or outside.

weavejester12:05:44

Usually you want it to be inside, since then you gain benefits from error handling, parameters, session etc.

jahson12:05:02

I will add this to my notes about Duct 🙂

lambder14:05:59

@weavejester having:

:duct.module.web/site                          {}
 
 :duct.middleware.web/defaults                  {:security ^:replace {:anti-forgery true
                                                                     :xss-protection {:enable? true, :mode :block}
                                                                     :frame-options :sameorigin}}

lambder14:05:03

results in :

lambder14:05:14

:duct.middleware.web/defaults {:params {:urlencoded true, :multipart true, :nested true, :keywordize true},
                                :cookies true,
                                :session {:flash true, :cookie-attrs {:http-only true, :same-site :strict}},
                                :security {:anti-forgery true,
                                           :xss-protection {:enable? true, :mode :block},
                                           :frame-options :sameorigin,
                                           :content-type-options :nosniff},
                                :static {:resources ["duct/module/web/public" "firds_mirror/public"]},
                                :responses {:not-modified-responses true,
                                            :absolute-redirects true,
                                            :content-types true,
                                            :default-charset "utf-8"}},

weavejester16:05:13

@lambder Can you give me more information, such as the context and dependency versions? I can’t replicate your results.

lambder17:05:31

will do tomorrow