STCLI-248 prune STS headers from proxy responses

Prune the STS header in proxy responses, thus allowing non-SSL access via, e.g., http://localhost:3000 even when the server supplies STS headers that require end-to-end SSL. Refs STCLI-248
folio-org · Oct 10, 2024 · 2f73e3c · 2f73e3c
1 parent a9447b3
commit 2f73e3c
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Change history for stripes-cli
 
+## 3.3.0 IN PROGRESS
+
+* Prune STS headers, permitting local non-SSL access via proxy. Refs STCLI-248.
+
 ## 3.2.0 IN PROGRESS
 
 * Add a proxy server to overcome issues with cookies SameSite policy. Refs STCLI-246.

diff --git a/lib/run-proxy.js b/lib/run-proxy.js
@@ -3,6 +3,7 @@ const { createProxyMiddleware } = require('http-proxy-middleware');
 
 const app = express();
 
+// [argv.okapi, argv.port, argv.proxyHost, argv.proxyPort]);
 const OKAPI = process.argv[2];
 const PORT = process.argv[3];
 const PROXY_HOST = process.argv[4];
@@ -15,8 +16,14 @@ app.use(
     changeOrigin: true,
     on: {
       proxyRes: (proxyRes) => {
+        // STCOM-247: overwrite any CORS headers in responses with those of
+        // the proxy, thus allowing access from any browser pointed at the proxy.
         proxyRes.headers['Access-Control-Allow-Origin'] = `${PROXY_HOST}:${PORT}`;
         proxyRes.headers['Access-Control-Allow-Credentials'] = 'true';
+
+        // STCOM-248: omit STS headers in responses, thus allowing non-ssl access,
+        // e.g. access via http://localhost:3000
+        delete proxyRes.headers['Strict-Transport-Security'];
       },
     },
   }),