right, so, i finally figured out why this is...

https://github.com/juxt/yada/blob/35a0be13f35a07be99b8a343d588c3e4054b6375/src/yada/security.clj#L179

apparently, it only adds these headers when it's using either SSL or X-Forwarded-For

i think the assumption is being made that when an X-Forwarded-For header is set, it's https and being terminated at the proxy, but i think this is wrong

Is there a way to know that you're behind a proxy AND using ssl?

no, but it seems wrong to me to assume you're behind SSL when you're behind a proxy

this should be a configuration parameter, imho

Oh, it is wrong (under the premise is that these headers should only be on for SSL)

Yada tries to be smart though. This behaviour is part of the design.

It's supposed to encourage HTTP spec compliance as automatically as possible.

I think it should be configurable. I was going to mention that the interceptor that adds these headers can be replaced - see yada.interceptors for some convenience fns that demonstrate how

The interceptor involved is a bit of a first-draft

Does this mean that a resource will need to know if it's behind SSL or not?

Probably

that makes sense, that's part of your infrastructure configuration, not your service configuration

this is just an issue with the http protocol not having any support for this

the problem right now is that Content-Security-Policy basically cripples your website if it's served over http