Add a section to the config file for HTTP headers to add to responses

The example configuration files add X-Content-Type-Options: nosniff. Add coverage in existing registry/handlers unit tests. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-08-10 14:20:52 -07:00 · 2015-08-10 14:20:52 -07:00 · 9c3bed6b88
commit 9c3bed6b88
parent 4f7cb60190
8 changed files with 68 additions and 1 deletions
--- a/docs/configuration.md
+++ b/docs/configuration.md
@ -163,6 +163,8 @@ information about each option that appears later in this page.
          - /path/to/another/ca.pem
      debug:
        addr: localhost:5001
+      headers:
+        X-Content-Type-Options: [nosniff]
    notifications:
      endpoints:
        - name: alistener
@ -1147,6 +1149,8 @@ configuration may contain both.
          - /path/to/another/ca.pem
      debug:
        addr: localhost:5001
+      headers:
+        X-Content-Type-Options: [nosniff]

 The `http` option details the configuration for the HTTP server that hosts the registry.

@ -1275,6 +1279,21 @@ The `debug` section takes a single, required `addr` parameter. This parameter
 specifies the `HOST:PORT` on which the debug server should accept connections.


+### headers
+
+The `headers` option is **optional** . Use it to specify headers that the HTTP
+server should include in responses. This can be used for security headers such
+as `Strict-Transport-Security`.
+
+The `headers` option should contain an option for each header to include, where
+the parameter name is the header's name, and the parameter value a list of the
+header's payload values.
+
+Including `X-Content-Type-Options: [nosniff]` is recommended, so that browsers
+will not interpret content as HTML if they are directed to load a page from the
+registry. This header is included in the example configuration files.
+
+
 ## notifications

    notifications: