Custom HTTP Headers not working

Vault
1

Hello,

I have installed HashiCorp Vault via official Helm chart (GitHub - hashicorp/vault-helm: Helm chart to install Vault and other associated components.). I am currently using v1.15.6.

I am trying to set some custom HTTP headers, following the documentation here: Create customized HTTP headers for your Vault requests | Vault | HashiCorp Developer.
I have added custom headers inside listener “tcp” stanza. But when I am making a curl request, these headers doesn’t seem to show. Only some pre-configured ones.
Have anyone of you tried this?

Thanks,
Glisav

2

Can you share a de-indentifed config you are using for Vault? I just tested with an example from the HTTP headers doc.

Here is the example config I used:

server:
   affinity: ""
   ha:
      enabled: true
      raft:
         enabled: true
         setNodeId: true
         config: |
            cluster_name = "vault-integrated-storage"
            storage "raft" {
               path = "/vault/data/"
            }
            listener "tcp" {
               tls_disable = 1
               address = "[::]:8200"
               cluster_address = "[::]:8201"
            
               custom_response_headers {
                 "default" = {
                  "Content-Security-Policy" = ["connect-src https://cluster.vault.external"],
                  "X-Custom-Header" = ["Vault created header to meet security requirements"]
                  }
               }
            }
            service_registration "kubernetes" {}

Here is the output where you can see the content security policy added in the config above (wrapped in **):

curl --head --location --header "X-Vault-Request: true" --header "X-Vault-Token: hvs.myAwesomeSuperSecureToken" http://127.0.0.1:8200
HTTP/1.1 404 Not Found
Cache-Control: no-store
**Content-Security-Policy: connect-src https://cluster.vault.external**

As a test, just to be sure, I then removed the custom header from the config and did a clean deploy. No more custom security header.

curl --head --location --header "X-Vault-Request: true" --header "X-Vault-Token: hvs.r6nYXXP8MsD96X9AiS8b2RsN" http://127.0.0.1:8200
HTTP/1.1 404 Not Found
Cache-Control: no-store
Content-Type: text/plain; charset=utf-8
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
Date: Thu, 16 May 2024 15:02:54 GMT
Content-Length: 19
3

Hi @jonathanfrappier
Thank you for your reply. My configuration looks like this:

server:
standalone:
config:
ui = true

  listener "tcp" {
    tls_disable = 1
    address = "[::]:8200"
    cluster_address = "[::]:8201"

    custom_response_headers {
      default {
        "X-Frame-Options" = ["SAMEORIGIN"]
      }
    }

And the response from curl request is this:

$ curl --head --location --header “X-Vault-Request: true” --header “X-Vault-Token: root” http://127.0.0.1:8200

HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html; charset=utf-8
Location: /ui/
Strict-Transport-Security: max-age=31536000; includeSubDomains
Date: Fri, 17 May 2024 08:44:53 GMT

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: no-store
Content-Length: 805208
Content-Security-Policy: default-src ‘none’; connect-src ‘self’; img-src ‘self’ data:; script-src ‘self’; style-src ‘unsafe-inline’ ‘self’; form-action ‘none’; frame-ancestors ‘none’; font-src ‘self’
Content-Type: text/html; charset=utf-8
Service-Worker-Allowed: /
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Date: Fri, 17 May 2024 08:44:53 GMT

The X-Frame-Options custom header looks like is not being validated.

From your reply, it looks like also the header that you have added X-Custom-Header is not included in the response of the curl request.

Thank you!

4

I have copied the same configuration from the documentation:

image
image843×291 15.4 KB

But, still when I do a curl request, I get this result:

HTTP/1.1 307 Temporary Redirect
Cache-Control: no-store
Content-Type: text/html; charset=utf-8
Location: /ui/
Strict-Transport-Security: max-age=31536000; includeSubDomains
Date: Fri, 17 May 2024 09:09:40 GMT

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: no-store
Content-Length: 805208
Content-Security-Policy: default-src ‘none’; connect-src ‘self’; img-src ‘self’ data:; script-src ‘self’; style-src ‘unsafe-inline’ ‘self’; form-action ‘none’; frame-ancestors ‘none’; font-src ‘self’
Content-Type: text/html; charset=utf-8
Service-Worker-Allowed: /
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Date: Fri, 17 May 2024 09:09:40 GMT

5

UPDATE:
I managed to solve it. Helm chart was configured in dev mode, which in this case the configuration part where I did put custom headers was ignored. I changed the values and deployed Vault cluster in the standalone mode, and it finally worked.

1 Like