Supporting a Secure Headers Worker

[evolve2k]

Before coming to Linc, I've been using CW to provide secure headers, per this guidance from Scott Helme
https://scotthelme.co.uk/security-headers-cloudflare-worker

Now that my site is deployed to my domain with linc, I want to get secure headers configured.

When I was hosting with github pages, the security headers worker would just work.
It's not working now that the site is "hosted" in a CW itself with Linc.

Here's Scott's Worker code secure-headers-worker.js

How can I get this working?

Thanks again for all the help folks!

[evanderkoogh]

Oh no, we are extremely grateful for your help in figuring out where the gaps are in our documentation!

FABs are designed to include all the server-side logic you want. The example Attaching a FAB bundle ID header to all outgoing responses should give you everything you need right now.

Right now you would need to do this manually, but this is a text-book example of why @geelen wanted to create the FAB plugin system. So that you can do just add this functionality with one simple fab-cli command.

If you are feeling adventurous you can try to create the plugin yourself with this plugin documentation . But I would absolutely first get it working in a custom server.

@geelen and myself are currently fully focused on getting a new massive (re)release of Linc out. But we will certainly take a look at this in a couple weeks.

[evanderkoogh]

Created an issue on the FAB repo to track this: fab-spec/fab#233

[evolve2k]

Just giving this one a bump :)

[evanderkoogh]

Hey @evolve2k, just clarifying what you need help with. Getting it working in your own application, or are you looking for the plugin?

[evolve2k]

Developing a fab plugin is a bit outside where I'm up to right now.
Hoping for a plugin from you fine folks.

To make my pitch again; being able to support custom security headers is a generalised feature that should be of benefit to most fab users.

Hoping it can go onto your teams priority list to resolve.