feat: conditionally set headers (if not already set) in redirect response (#190)

ljeda · ljeda · web-flow · commit b51ab84ce105 · 2025-02-20T10:38:45.000-06:00
* conditionally set headers (if not already set) in redirect response

* add new function description

---------

Co-authored-by: ljeda &lt;Lukasz.Jeda@pl.ibm.com&gt;
diff --git a/index.js b/index.js
@@ -198,11 +198,22 @@ function createRedirectDirectoryListener () {
 
     // send redirect response
     res.statusCode = 301
-    res.setHeader('Content-Type', 'text/html; charset=UTF-8')
-    res.setHeader('Content-Length', Buffer.byteLength(doc))
-    res.setHeader('Content-Security-Policy', "default-src 'none'")
-    res.setHeader('X-Content-Type-Options', 'nosniff')
-    res.setHeader('Location', loc)
+    setHeaderIfNotSet(res, 'Content-Type', 'text/html; charset=UTF-8')
+    setHeaderIfNotSet(res, 'Content-Length', Buffer.byteLength(doc))
+    setHeaderIfNotSet(res, 'Content-Security-Policy', "default-src 'none'")
+    setHeaderIfNotSet(res, 'X-Content-Type-Options', 'nosniff')
+    setHeaderIfNotSet(res, 'Location', loc)
     res.end(doc)
   }
 }
+
+/**
+ * Set default value for the header only if it is not already set in the response
+ * @private
+ */
+
+function setHeaderIfNotSet (res, name, value) {
+  if (!res.hasHeader(name)) {
+    res.setHeader(name, value)
+  }
+}
diff --git a/test/test.js b/test/test.js
@@ -469,6 +469,9 @@ describe('serveStatic()', function () {
     before(function () {
       server = createServer(fixtures, null, function (req, res) {
         req.url = req.url.replace(/\/snow(\/|$)/, '/snow \u2603$1')
+        if (req.url.match(/\/pets/)) {
+          res.setHeader('Content-Security-Policy', "default-src 'self'")
+        }
       })
     })
 
@@ -508,13 +511,20 @@ describe('serveStatic()', function () {
         .expect(301, />Redirecting to \/snow%20%E2%98%83\/</, done)
     })
 
-    it('should respond with default Content-Security-Policy', function (done) {
+    it('should respond with default Content-Security-Policy when header is not set', function (done) {
       request(server)
         .get('/users')
         .expect('Content-Security-Policy', "default-src 'none'")
         .expect(301, done)
     })
 
+    it('should respond with custom Content-Security-Policy when header is set', function (done) {
+      request(server)
+        .get('/pets')
+        .expect('Content-Security-Policy', "default-src 'self'")
+        .expect(301, done)
+    })
+
     it('should not redirect incorrectly', function (done) {
       request(server)
         .get('/')
