Re: site-wide headers

Willy Tarreau <> Sat, 01 October 2016 06:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0354212B1F4 for <>; Fri, 30 Sep 2016 23:17:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.237
X-Spam-Status: No, score=-9.237 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-2.316, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mODUxKyYbzT0 for <>; Fri, 30 Sep 2016 23:17:33 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D9E4B12B054 for <>; Fri, 30 Sep 2016 23:17:33 -0700 (PDT)
Received: from lists by with local (Exim 4.80) (envelope-from <>) id 1bqDY7-0000LH-Bj for; Sat, 01 Oct 2016 06:13:27 +0000
Resent-Date: Sat, 01 Oct 2016 06:13:27 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <>) id 1bqDY5-0000KN-3c for; Sat, 01 Oct 2016 06:13:25 +0000
Received: from ([] by with esmtp (Exim 4.80) (envelope-from <>) id 1bqDY1-0004O4-QA for; Sat, 01 Oct 2016 06:13:24 +0000
Received: (from willy@localhost) by pcw.home.local (8.15.2/8.15.2/Submit) id u916Ctit031670; Sat, 1 Oct 2016 08:12:55 +0200
Date: Sat, 1 Oct 2016 08:12:55 +0200
From: Willy Tarreau <>
To: Martin Thomson <>
Cc: Mark Nottingham <>, HTTP Working Group <>
Message-ID: <>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.6.0 (2016-04-01)
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-5.5
X-W3C-Hub-Spam-Report: AWL=-0.575, BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: 1bqDY1-0004O4-QA 838b8abf72320ce2916d5374976008cc
Subject: Re: site-wide headers
Archived-At: <>
X-Mailing-List: <> archive/latest/32432
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

Hi Martin,

On Wed, Sep 28, 2016 at 09:00:05PM +1000, Martin Thomson wrote:
> (
> I like this approach because it is more obviously composable into an
> existing system at the consuming end.  I especially like that the
> format is without opinion about its contents.  That makes it quite
> powerful.
> I dislike this approach (in contrast to the JSON-based
> origin-policy[1]) because it uses header fields.  Of course that makes
> it better suited to HTTP.

In fact that's what I find powerful here. I know *many* places where
these headers are set by the front reverse-proxy, simply because it
ensures that they're uniform across all the servers. But it also
happens that there are exceptions (eg: for static some servers or
certain unrelated applications). With this mechanism, there's almost
nothing to change in the way it works. The admin will just have to
add "HS" to the responses instead of adding all these header fields,
when the reverse-proxy notices that the client provided the valid SM
field. And it also ensures the proxy an simply remove HS: and replace
it with all appropriate headers when it comes from a server where it's
not appropriate at all (you know, some application developers like to
copy-paste when they don't know).

So in fact, it supports everything already supported today but the
smarter way. It's really nice in my opinion.