I need to add Content-Security-Policy in all my response headers. The trick is that I need to set the value of the header to a param that comes in the url query, so, for instance, if my request is https://example.com?foo=bar, then my header should be Content-Security-Policy: bar.
So far, I've been trying to do it with traefik, as all requests and responses are processed by it. My app consists in a rails backend with a react frontend, both of them hosted on a static server in different folders, therefore, I have two compose files, one that defines all back services and one that defines the front. My back end compose:
services:
rails: ...
traefik:
image: traefik:v2.9
container_name: onlypays-traefik
command:
- "--api.dashboard=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
- "--certificatesresolvers.leresolver.acme.tlschallenge=true"
- "--certificatesresolvers.leresolver.acme.email=my@email.com"
- "--certificatesresolvers.leresolver.acme.storage=/certificates/acme.json"
- "--log.level=DEBUG"
ports:
- 80:80
- 8080:8080
- 443:443
restart: unless-stopped
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./stag.certs:/certificates
My current front end compose:
services:
node:
...
labels:
traefik.enable: 'true'
traefik.port: 80
traefik.http.routers.node.rule: Host(`my.host.com`)
traefik.http.services.node.loadbalancer.server.port: 80
traefik.http.routers.node.tls: true
traefik.http.routers.node.tls.certresolver: leresolver
traefik.http.routers.node.middlewares: add-csp-header@docker
traefik.http.middlewares.add-csp-header.headers.customresponseheaders.Content-Security-Policy: "{{ .Request }}"
I've tried a lot of other configurations, but I lost track of them, this one is the closest I have got yet, it does set a response header, but it doesn't fix it to the actual request, whatever it is, instead it sets the header to Content-Security-Policy: {{ .Request }} (check the last line of the second compose). In that same line I have also tried with other stuff, such as "Host(`{{requestHost}}`)", "Host: {{requestHost}}", "{{.Request.Header.Get \"Host\"}}" or "{{ .Query.Get \"param_name\" }}". I'm not really an expert in traefik and I'm running out of ideas, my last attempt was to upgrade traefik version from 2.3 to 2.9 (as the current compose file states). I'll be glad if anybody gives me some idea or points me my mistake.
