NotionCommotion Posted September 22, 2019 Share Posted September 22, 2019 A HTTP request is made to the server, Slim creates a Request and Response object, content in the Request is sent to another server using cURL via Guzzle, Guzzle returns its own Response, and content from Guzzle's response must be returned by the original Slim response. Would you recommend white-listing or black-listing response headers, and which specific headers? Similarly, would you recommend white-listing or black-listing the request headers sent via cURL, and which specific headers? Thanks <?php use Psr\Http\Message\ResponseInterface as Response; use GuzzleHttp\Psr7\Response as CurlResponse; class ApiResponder { public function delete(Response $httpResponse, CurlResponse $curlResponse) { return $this->proxy($httpResponse, $curlResponse); } //other public methods... private function proxy(Response $httpResponse, CurlResponse $curlResponse) { foreach($this->getResponseHeaders($curlResponse) as $name=>$value) { $httpResponse=$httpResponse->withHeader($name, $value); } return $httpResponse->withBody($curlResponse->getBody())->withStatus($curlResponse->getStatusCode()); } private function getResponseHeaders(Response $httpResponse):array { //Blacklist headers which should be returned to original client. TBD whether I should whitelist headers instead. $blacklist=['Date'=>null, 'Server'=>null, 'X-Powered-By'=>null, 'Access-Control-Allow-Origin'=>null, 'Access-Control-Allow-Methods'=>null, 'Access-Control-Allow-Headers'=>null, 'Set-Cookie'=>null]; return array_diff_key($curlResponse->getHeaders(), $blacklist); } /** * This method doesn't really exist in this class, but is just included to show which headers I am forwarding in the cURL request. */ private function getRequestHeaders($clientRequest):array { $whitelist=['connection'=>null,'accept'=>null,'accept-encoding'=>null,'accept-language'=>null,'content-type'=>null,'content-length'=>null]; return array_intersect_key($clientRequest->getHeaders(), $whitelist); } } Quote Link to comment Share on other sites More sharing options...
requinix Posted September 22, 2019 Share Posted September 22, 2019 If you're intending to act as a proxy then the behavior of proxies when it comes to returning headers is defined for HTTP and you should mirror it. If you're intending to just kinda act as a middleware between the client and the actual source you're communicating with then I would whitelist by mapping the headers you know the remote server will return to headers that your service should return. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.