hint that that checks if HTML document only response headers are sent for other resources
npm install @hint/hint-no-html-only-headersno-html-only-headers)no-html-only-headers warns against responding with HTTP headers that
are not needed for non-HTML (or non-XML) resources.
Some HTTP headers do not make sense to be sent for non-HTML
resources, as sending them does not provide any value to users
and contributes to header bloat.
The hint checks if non-HTML responses include any of the following
HTTP headers:
* Content-Security-Policy
* X-Content-Security-Policy
* X-UA-Compatible
* X-WebKit-CSP
* X-XSS-Protection
In case of a JavaScript file, Content-Security-Policy andX-Content-Security-Policy will be ignored since CSP is
also relevant to workers.
Response for /test.js:
``text
HTTP/... 200 OK
Content-Type: text/javascript; charset=utf-8
...
X-UA-Compatible: IE=Edge,
X-WebKit-CSP: default-src 'none'
X-XSS-Protection: 1; mode=block
...
`
Response for /test.html:
`text
HTTP/... 200 OK
Content-Type: x/y
...
Content-Security-Policy: default-src 'none'
X-Content-Security-Policy: default-src 'none'
X-UA-Compatible: IE=Edge,
X-WebKit-CSP: default-src 'none'
X-XSS-Protection: 1; mode=block
...
`
Response for /test.js:
`text
HTTP/... 200 OK
Content-Type: text/javascript; charset=utf-8
Content-Security-Policy: default-src 'none'
X-Content-Security-Policy: default-src 'none'
...
`
Response for /test.html:
`text
HTTP/... 200 OK
Content-Type: text/html
...
Content-Security-Policy: default-src 'none'
X-Content-Security-Policy: default-src 'none'
X-UA-Compatible: IE=Edge,
X-WebKit-CSP: default-src 'none'
X-XSS-Protection: 1; mode=block
...
`
Response for /test.xml:
`text
HTTP/... 200 OK
Content-Type: application/xhtml+xml
...
Content-Security-Policy: default-src 'none'
X-Content-Security-Policy: default-src 'none'
X-UA-Compatible: IE=Edge,
X-WebKit-CSP: default-src 'none'
X-XSS-Protection: 1; mode=block
...
`
How to configure Apache
Apache can be configured to remove headers using the [Header
directive][header directive].
To remove the headers that are not needed for non-HTML resources,
you can do something such as the following:
`apache
# Because mod_headers cannot match based on the content-type,
# the following workaround needs to be used.
Header unset X-UA-Compatible
Header unset X-XSS-Protection
Header unset Content-Security-Policy
Header unset X-Content-Security-Policy
Header unset X-WebKit-CSP
`
Note that:
* The above snippet works with Apache v2.2.0+, but you need to havemod_headers
[][mod_headers] [enabled][how to enable apache modules]
for it to take effect.
* If you have access to the [main Apache configuration file][main
apache conf file] (usually called httpd.conf), you should add
the logic in, for example, a [][apache directory].htaccess
section in that file. This is usually the recommended way as
[using files slows down][htaccess is slow] Apache!
If you don't have access to the main configuration file (quite
common with hosting services), add the snippets in a .htaccess
file in the root of the web site/app.
For the complete set of configurations, not just for this rule, see
the [Apache server configuration related documentation][apache config].How to configure IIS
If your application is adding the headers unconditionally to all
responses and you cannot modify it, the solution is to create
[URL rewrite rules][url rewrite] that will remove them fromContent-Type
any resource whose header isn't text/html:
`xml`
Note that:
* If your site uses a mime type different than text/html to serveapplication/xhtml+xml
HTML content (e.g.: ), you'll have to updatepattern
the value of .web.config
* The above snippet works with IIS 7+.
* You should use the above snippet in the of your
application.
For the complete set of configurations, not just for this rule,
see the [IIS server configuration related documentation][iis config].
Yes, you can use:
* include to specify additional HTTP headers that shouldignore
be disallowed for non-HTML resources
* to specify which of the disallowed HTTP headers
should be ignored
E.g. The following hint configuration used in the [.hintrc][hintrc]Content-Security-Policy
file will make the hint allow non-HTML resources to be served with the HTTP header, but not with Custom-Header.
`json`
{
"connector": {...},
"formatters": [...],
"hints": {
"no-html-only-headers": [ "warning", {
"ignore": ["Content-Security-Policy"],
"include": ["Custom-Header"]
}],
...
},
...
}
This package is installed automatically by webhint:
`bash`
npm install hint --save-dev
To use it, activate it via the [.hintrc][hintrc] configuration file:
`json`
{
"connector": {...},
"formatters": [...],
"hints": {
"no-html-only-headers": "error",
...
},
"parsers": [...],
...
}
Note: The recommended way of running webhint is as a devDependency` of
your project.
[apache config]: https://webhint.io/docs/user-guide/server-configurations/apache/
[apache directory]: https://httpd.apache.org/docs/current/mod/core.html#directory
[header directive]: https://httpd.apache.org/docs/current/mod/mod_headers.html#header
[hintrc]: https://webhint.io/docs/user-guide/configuring-webhint/summary/
[how to enable apache modules]: https://github.com/h5bp/server-configs-apache/tree/7eb30da6a06ec4fc24daf33c75b7bd86f9ad1f68#enable-apache-httpd-modules
[htaccess is slow]: https://httpd.apache.org/docs/current/howto/htaccess.html#when
[main apache conf file]: https://httpd.apache.org/docs/current/configuring.html#main
[mod_headers]: https://httpd.apache.org/docs/current/mod/mod_headers.html
[iis config]: https://webhint.io/docs/user-guide/server-configurations/iis/
[url rewrite]: https://docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/using-the-url-rewrite-module