Allow browser headers to be set for the friendly html page #43
Conversation
Allows us to set security related headers such as `X-Frame-Options` to avoid flagging up on security scanning tools Related to OctopusDeploy/Issues#3884
| @@ -315,6 +330,39 @@ static string DownloadStringIgnoringCertificateValidation(string uri) | |||
| #endif | |||
| } | |||
|
|
|||
| static IEnumerable<KeyValuePair<string, string>> GetHeadersIgnoringCertificateValidation(string uri) | |||
| { | |||
| #if NET40 | |||
There was a problem hiding this comment.
Why not just use HttpClient for both cases? No need to deal with ServicePointManager static shenanigans... :)
There was a problem hiding this comment.
That would make sense...
There was a problem hiding this comment.
Unfortunately that is not that case with the latest versions, OctopusDeploy/OctopusClients#121
|
Any reason to have the headers configurable instead of just including the security ones by default? |
|
It's a good point I think. I ended up making the friendly HTML configurable back in 3.0 because the main reason this page is used is to diagnose connection issues. It's helpful to have a custom message to describe what the endpoint actually represents, a Tentacle or the Octopus Server. In the case of security headers, I'm not sure they need to be configurable - will they be likely to change between Octopus Server, Tentacle, or other consumers of our library? If I'm an external (non-Octopus) consumer of Halibut, would I be blocked in any way by these headers being hard-coded? |
|
My thinking was:
I'm not wedded to the current solution - if either of you feeling strongly about it, I'm happy to change. |
Allows us to set security related headers such as
X-Frame-Optionsto avoid flagging up on security scanning toolsRelated to OctopusDeploy/Issues#3884