Add headers to SockJS connection?

1.9k Views Asked by At

I've been running security checks on my Meteor application using ZAP (an automated security scanning tool). I've been able to solve a lot of security issues, but I'm still getting warnings on part of application. For example, the following error:

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

These warnings have to do with the HTTP headers.

The following code solves the above header security concerns on all normal pages:

WebApp.rawConnectHandlers.use(function(req, res, next) {
  res.setHeader('X-XSS-Protection', '1; mode=block');
  next();
});

But on all /sockjs/info?cb=XXX calls (eg. /sockjs/info?cb=4yiv7ncev4) some of the headers added with res.setHeader() are not included. If I understand correctly this are calls between server and client, like subscriptions or calls to Meteor methods, and the framework used is SockJS.

Is there any way to include extra headers in these websocket connections?

Thank you so much for your help!

1

There are 1 best solutions below

2
On BEST ANSWER

Try this:

const oldHttpServerListeners = WebApp.httpServer.listeners('request').slice(0);
WebApp.httpServer.removeAllListeners('request');

const newListener = function(request, response) {
  const args = arguments;

  response.setHeader('X-XSS-Protection', '1; mode=block');

  _.each(oldHttpServerListeners, function(oldListener) {
    oldListener.apply(WebApp.httpServer, args);
  });

};

WebApp.httpServer.addListener('request', newListener);