✔ Where is the structured header reference hosted?

[ecki]

While watching some presentations of the project I got the impression there is somewhere a canonical place for a structured list of headers. But it’s not really mentioned anywhere. The REST API design document also mentions a canonical source for all headers. So where is it? :)

i especially would like to have the list of headers to avoid in a self refreshing url (and not sure I need a rest service for it, but if you want to provide it it’s also fine, where will it be available?)

[righettod]

Hi,

You remarks are totally accurate and I share them totally 😃

During the work on the API, I was figuring that we need to have a way to store the reference headers configuration in a machine processable way.

💬 I can propose this idea

Replace the following tables:

By a JSON file stored in the website GH repo using such content:

📑 Link to JSON Viewer

{
  "add": [
    {
      "name": "Strict Transport Security",
      "value": "max-age=31536000 ; includeSubDomains"
    },
    {
      "name": "X-Frame-Options",
      "value": "deny"
    }
  ],
  "remove": [
    "Server",
    "Liferay-Portal"
  ]
}

@riramar @ecki What do you think?

[riramar]

@righettod I agree with your aproach.

[ecki]

Yes, one or possibly two JSON files for those usecases. I would go with two as the Schema are quite different. But the question is, how to generate the readable tables on the web site out of it? (For the remove well have a „description“ and „example“ column?)

[righettod]

Yes, one or possibly two JSON files for those usecases. I would go with two as the Schema are quite different.

Make sense, let's go for 2 JSON files.

But the question is, how to generate the readable tables on the web site out of it? (For the remove well have a „description“ and „example“ column?)

Perhaps I'm wrong, but, the way in which the HTML site is generated will cause some issue if we generate the markdown content dynamically.

My proposal to follow your proposal is to add HTML comment as marker for both tables on the markdown file and then have a GitHub action that generate the both JSON file based on markdown content automatically when the markdown is updated. With python it is possible in a stable way.

[righettod]

Implemented with OWASP/www-project-secure-headers#88

[righettod]

I submitted the OWASP/www-project-secure-headers#89 to try to fix the broken tables 😥

[righettod]

✅ References files now provided and automatically updated:

• Headers to add
• Headers to remove

⚒ They will be used, as foundation, for the work on #6