Thank you for your answer.
What I was worried about some kind of cache poisoning, for instance:
- jquery is not yet used on my website
- an “attacker” requests the non-existing
/assets/jquery.js
asset (which returns a 404)
- if I deploy my site with this new assets, all clients (or proxies) will have the 404 cached, breaking there page
This scenario might be unlikely, but if somehow the attacker gets access to my development deploys, he will know in advance which assets will exist in a future release and attempt to break it.
I really think that a new option is needed for the headers, to prevent such attack:
- either depending on the HTTP Status code
- or depending on the existence of the file (but it must be taken into consideration for SPA, where all URLs give back the file
index.html
)
What do you think?
In the meantime, I made a similar hack to what I have done for the _redirects: after the build, scan all the assets and add one header line per file (this is a vue-cli plugin):
module.exports = api => {
api.registerCommand(
"generate-headers",
{
description: "Generates the _headers file for netlify",
usage: "vue-cli-service generate-headers"
},
() => {
// Walk part copied from https://stackoverflow.com/a/5827895
var fs = require("fs");
var path = require("path");
var walk = function(dir, done) {
var results = [];
fs.readdir(dir, function(err, list) {
if (err) return done(err);
var pending = list.length;
if (!pending) return done(null, results);
list.forEach(function(file) {
file = path.join(dir, file);
fs.stat(file, function(err, stat) {
if (stat && stat.isDirectory()) {
walk(file, function(err, res) {
results = results.concat(res);
if (!--pending) done(null, results);
});
} else {
results.push(file);
if (!--pending) done(null, results);
}
});
});
});
};
walk("dist/assets/", (err, assets) => {
if (err) {
throw err;
}
let output = assets
.map(a => {
return (
a.substr("dist".length) +
"\n Cache-Control: public, s-max-age=604800\n"
);
})
.join("\n");
fs.appendFileSync("dist/_headers", output);
console.log(`Headers:\n`, output);
});
}
);
};