Simplify securityheader package by merging header fields.

From RFC2616 (https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2): > It MUST be possible to combine the multiple header fields into one "field-name: field-value" pair, > without changing the semantics of the message, by appending each subsequent field-value to the first, > each separated by a comma. This was correct before, but this simplifes a bit and shaves off a few bytes from the response. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 21:38:55 -06:00 · 2020-12-15 21:38:55 -06:00 · 74e52187a3
commit 74e52187a3
parent 602f3c59ba
2 changed files with 2 additions and 9 deletions
--- a/internal/httputil/securityheader/securityheader.go
+++ b/internal/httputil/securityheader/securityheader.go
@ -16,16 +16,9 @@ func Wrap(wrapped http.Handler) http.Handler {
 		h.Set("X-Content-Type-Options", "nosniff")
 		h.Set("Referrer-Policy", "no-referrer")
 		h.Set("X-DNS-Prefetch-Control", "off")
-
-		// first overwrite existing Cache-Control header with Set, then append more headers with Add
-		h.Set("Cache-Control", "no-cache")
-		h.Add("Cache-Control", "no-store")
-		h.Add("Cache-Control", "max-age=0")
-		h.Add("Cache-Control", "must-revalidate")
-
+		h.Set("Cache-Control", "no-cache,no-store,max-age=0,must-revalidate")
 		h.Set("Pragma", "no-cache")
 		h.Set("Expires", "0")
-
 		wrapped.ServeHTTP(w, r)
 	})
 }
--- a/internal/httputil/securityheader/securityheader_test.go
+++ b/internal/httputil/securityheader/securityheader_test.go
@ -45,7 +45,7 @@ func TestWrap(t *testing.T) {
 		"X-Frame-Options":         []string{"DENY"},
 		"X-Xss-Protection":        []string{"1; mode=block"},
 		"X-Dns-Prefetch-Control":  []string{"off"},
-		"Cache-Control":           []string{"no-cache", "no-store", "max-age=0", "must-revalidate"},
+		"Cache-Control":           []string{"no-cache,no-store,max-age=0,must-revalidate"},
 		"Pragma":                  []string{"no-cache"},
 		"Expires":                 []string{"0"},
 	}