nginx: include security headers on error responses by alxndrsn · Pull Request #1651 · getodk/central

alxndrsn · 2026-02-17T10:13:57Z

Checks for always flag on the following nginx headers:

Strict-Transport-Security
X-Content-Type-Options
X-Frame-Options
Content-Security-Policy
Content-Security-Policy-Report-Only

Closes #1527

What has been done to verify that this works as intended?

added a semgrep rule

Why is this the best possible solution? Were any other approaches considered?

a similar check could be achieved with grep. semgrep may be more versatile, and pulls in community-provided checks
unit tests could be added instead/as well

How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?

No effect.

Does this change require updates to documentation? If so, please file an issue here and include the link below.

No.

Before submitting this PR, please make sure you have:

branched off and targeted the next branch OR only changed documentation/infrastructure (master is stable and used in production)
verified that any code or assets from external sources are properly credited in comments or that everything is internally sourced

This reverts commit 52f61e7.

This reverts commit 05693c9.

alxndrsn added 30 commits February 17, 2026 07:38

nginx: semgrep

eabf8b3

no-git-ignore

0251262

touch

25498c7

disable gixy for faster tests

63ca528

heredoc

ab194dd

try with a rule

7a16880

try escape

573b7bd

debg

bc28bde

generic lang

7c62c33

add some paths

d65fd88

apt-get

d720de2

increase timeout

ecba8e9

add community ruleset

dad8258

more haders, case insensitve

fa7458e

try excelude

536461b

tabs

3171cde

v

66485ab

make ERROR

1f0090f

exluce

24320c9

ellips?

e9f2829

fix paths

3f288bd

clude all

3bb524a

cli include

7e3ea15

specific files

1b84968

fix a violation; streamline the testing

40b9c21

reintro install steps

a346d04

reduce timeout again

f710102

remove todo

279ce39

remove comment

2e6f34b

run on all files

27671d5

alxndrsn added 13 commits February 17, 2026 09:49

fiail on error?

9401cef

refactor

e1c8ca4

add loads of always

8f2f8ed

X-Frame-Options

7d4b7c5

X-Content-Type-Options

52f61e7

fiail on ly onerr

1f8796a

Revert "X-Content-Type-Options"

05693c9

This reverts commit 52f61e7.

Revert "Revert "X-Content-Type-Options""

c5abe61

This reverts commit 05693c9.

ci: revet change

14ae294

tidy up gixy comments

d7ccb76

dockerignore: include /test/ dir

2f07f17

gnore test more

8b5eba0

revert dockerignore change

53b86af

alxndrsn marked this pull request as ready for review February 17, 2026 10:26

lognaturel approved these changes Feb 17, 2026

View reviewed changes

matthew-white linked an issue Feb 17, 2026 that may be closed by this pull request

Use always for security headers #1527

Closed

Merge branch 'next' into always-headers

87ccb6e

alxndrsn merged commit 541506a into getodk:next Feb 18, 2026
5 checks passed

matthew-white mentioned this pull request Feb 19, 2026

Use always for security headers #1527

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

nginx: include security headers on error responses#1651

nginx: include security headers on error responses#1651
alxndrsn merged 44 commits intogetodk:nextfrom
alxndrsn:always-headers

alxndrsn commented Feb 17, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

alxndrsn commented Feb 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What has been done to verify that this works as intended?

Why is this the best possible solution? Were any other approaches considered?

How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?

Does this change require updates to documentation? If so, please file an issue here and include the link below.

Before submitting this PR, please make sure you have:

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

alxndrsn commented Feb 17, 2026 •

edited

Loading