Skip to content

Allow to add http_response_headers in http_handlers of any type#79975

Merged
yakov-olkhovskiy merged 7 commits intoClickHouse:masterfrom
zvonand:add-headers-in-handlers
May 28, 2025
Merged

Allow to add http_response_headers in http_handlers of any type#79975
yakov-olkhovskiy merged 7 commits intoClickHouse:masterfrom
zvonand:add-headers-in-handlers

Conversation

@zvonand
Copy link
Contributor

@zvonand zvonand commented May 8, 2025

Changelog category (leave one):

  • Improvement

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

Allow to add http_response_headers in http_handlers of any kind

Documentation entry for user-facing changes

  • Documentation is written (mandatory for new features)

@zvonand zvonand changed the title Allow to add http_response_headers in http_handlers of any kind Allow to add http_response_headers in http_handlers of any type May 8, 2025
@filimonov filimonov mentioned this pull request May 8, 2025
Closed
@filimonov
Copy link
Contributor

filimonov commented May 8, 2025
edited
Loading

Motivation:
Some companies perform manual or automated security checks and penetration testing. These tools often flag HTTP endpoints that are missing certain headers considered essential for preventing common web-based attacks.

Examples of such headers include:

  • Strict-Transport-Security
  • Content-Security-Policy
  • X-Content-Type-Options
  • Referrer-Policy
  • Permissions-Policy (formerly Feature-Policy)
  • Cache-Control

Currently, ClickHouse allows setting custom HTTP headers for query-related handlers, but not for others such as the play and dashboard interfaces. To improve security compliance and reduce false positives in vulnerability scanners, we should provide a mechanism to configure these headers for any of HTTP handlers used by ClickHouse.

A full list of explicitly configured HTTP handlers is available here:
https://gist.github.com/filimonov/6c2e87b3e7bd7909ef0c31a1068c68d7

filimonov
filimonov reviewed May 8, 2025
View reviewed changes
@zvonand zvonand requested a review from filimonov May 9, 2025 11:28
filimonov
filimonov reviewed May 9, 2025
View reviewed changes
@GrigoryPervakov GrigoryPervakov added the can be tested Allows running workflows for external contributors label May 12, 2025
@clickhouse-gh
Copy link
Contributor

clickhouse-gh bot commented May 12, 2025
edited
Loading

Workflow [PR], commit [445dd9b]

@clickhouse-gh clickhouse-gh bot added the pr-improvement Pull request with some product improvements label May 12, 2025
@zvonand zvonand force-pushed the add-headers-in-handlers branch 4 times, most recently from de3dbd5 to 0e99fe8 Compare May 13, 2025 10:30
@zvonand zvonand force-pushed the add-headers-in-handlers branch from 0e99fe8 to 9b454eb Compare May 13, 2025 10:30
@yakov-olkhovskiy yakov-olkhovskiy self-assigned this May 14, 2025
@zvonand
Copy link
Contributor Author

zvonand commented May 20, 2025

@yakov-olkhovskiy the PR is ready for review and the tests are green

@yakov-olkhovskiy yakov-olkhovskiy added this pull request to the merge queue May 28, 2025
Merged via the queue into ClickHouse:master with commit 62e633e May 28, 2025
120 checks passed
@robot-ch-test-poll2 robot-ch-test-poll2 added the pr-synced-to-cloud The PR is synced to the cloud repo label May 28, 2025
@zvonand zvonand deleted the add-headers-in-handlers branch May 28, 2025 12:40
zvonand pushed a commit to Altinity/ClickHouse that referenced this pull request Jun 3, 2025
@yakov-olkhovskiy @zvonand
Merge pull request ClickHouse#79975 from zvonand/add-headers-in-handlers
cc2288f 
Allow to add `http_response_headers` in `http_handlers` of any type
zvonand pushed a commit to Altinity/ClickHouse that referenced this pull request Jun 3, 2025
@yakov-olkhovskiy @zvonand
Merge pull request ClickHouse#79975 from zvonand/add-headers-in-handlers
7eda4d0 
Allow to add `http_response_headers` in `http_handlers` of any type
@zvonand zvonand mentioned this pull request Jun 3, 2025
Merged
zvonand added a commit to Altinity/ClickHouse that referenced this pull request Jun 5, 2025
@zvonand
Merge pull request #832 from Altinity/backports/24.8.14/79975
935658d 
24.8.14 Backport of ClickHouse#79975 Allow to add `http_response_headers` in `http_handlers` of any kind
@zvonand zvonand mentioned this pull request Jun 23, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yakov-olkhovskiy yakov-olkhovskiy yakov-olkhovskiy approved these changes

+1 more reviewer

@filimonov filimonov filimonov left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@yakov-olkhovskiy yakov-olkhovskiy

Labels

can be tested Allows running workflows for external contributors pr-improvement Pull request with some product improvements pr-synced-to-cloud The PR is synced to the cloud repo

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@zvonand @filimonov @yakov-olkhovskiy @GrigoryPervakov @robot-ch-test-poll2