Jump to content

Recommended Posts

A HTTP request is made to the server, Slim creates a Request and Response object, content in the Request is sent to another server using cURL via Guzzle, Guzzle returns its own Response,  and content from Guzzle's response must be returned by the original Slim response.

Would you recommend white-listing or black-listing response headers, and which specific headers?

Similarly, would you recommend white-listing or black-listing the request headers sent via cURL, and which specific headers?

Thanks

<?php
use Psr\Http\Message\ResponseInterface as Response;
use GuzzleHttp\Psr7\Response as CurlResponse;

class ApiResponder
{
    public function delete(Response $httpResponse, CurlResponse $curlResponse) {
        return $this->proxy($httpResponse, $curlResponse);
    }
    //other public methods...

    private function proxy(Response $httpResponse, CurlResponse $curlResponse) {
        foreach($this->getResponseHeaders($curlResponse) as $name=>$value) {
            $httpResponse=$httpResponse->withHeader($name, $value);
        }
        return $httpResponse->withBody($curlResponse->getBody())->withStatus($curlResponse->getStatusCode());
    }

    private function getResponseHeaders(Response $httpResponse):array
    {
        //Blacklist headers which should be returned to original client.  TBD whether I should whitelist headers instead.
        $blacklist=['Date'=>null, 'Server'=>null, 'X-Powered-By'=>null, 'Access-Control-Allow-Origin'=>null, 'Access-Control-Allow-Methods'=>null, 'Access-Control-Allow-Headers'=>null, 'Set-Cookie'=>null];
        return array_diff_key($curlResponse->getHeaders(), $blacklist);
    }

    /**
    * This method doesn't really exist in this class, but is just included to show which headers I am forwarding in the cURL request.
    */
    private function getRequestHeaders($clientRequest):array
    {
        $whitelist=['connection'=>null,'accept'=>null,'accept-encoding'=>null,'accept-language'=>null,'content-type'=>null,'content-length'=>null];
        return array_intersect_key($clientRequest->getHeaders(), $whitelist);
    }
}

 

If you're intending to act as a proxy then the behavior of proxies when it comes to returning headers is defined for HTTP and you should mirror it.

If you're intending to just kinda act as a middleware between the client and the actual source you're communicating with then I would whitelist by mapping the headers you know the remote server will return to headers that your service should return.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.