customHttpHeaders

Specify a function or a string containing an absolute path to a module that exports a function, which executes before the server responds to HTTP requests for a session page, such as Rich Display session. Through customHttpHeaders the server can be configured to override the default HTTP response headers, which may use stricter security than the application may need. For example, by default, HTTP headers are sent to prevent a Rich Display session from displaying in an IFrame; so, to load the page inside of an IFrame, the Content-Security-Policy and X-Frame-Options headers may need to be changed or removed.

When called, the function will receive the following 2 parameters:

request - the HTTP request object, which can be read to conditionally change headers.
response - the HTTP response object before it gets sent to the client.

The module is loaded upon server startup and cached like any Node.js module.

Example 1

config.js setting:

// Remove headers that prevent Rich Display sessions from loading inside of an iframe.
customHttpHeaders: function(request, response) {
    response.removeHeader("X-Frame-Options");
    response.removeHeader("Content-Security-Policy");
}

Example 2

config.js setting:

customHttpHeaders: path.join("c:", "profoundjs", "customHttpHeaders.js");

Content of customHttpHeaders.js:

module.exports = function(request, response) {
  // Allow pages to be inside of iframes if the parent iframe is the same PJS server.
  response.setHeader("Content-Security-Policy", "frame-ancestors " + profound.settings.host);
};

Click here for information on how to modify this setting.

customHttpHeaders is available in Profound.js versions after 7.4.0.