Set security relevant response headers for ng serve

[jofrly]

🚀 Feature request

Command (mark with an x)

- [ ] new
- [ ] build
- [x] serve
- [ ] test
- [ ] e2e
- [ ] generate
- [ ] add
- [ ] update
- [ ] lint
- [ ] xi18n
- [ ] run
- [ ] config
- [ ] help
- [ ] version
- [ ] doc

Description

I want to set a response header for every request served by ng serve (e.g. Content-Security-Policy to make my local development environment more equal to the production environment.

Describe the solution you'd like

An option might be to be able to set headers within the angular.json's serve section

Describe alternatives you've considered

I tried to add a wildcard entry in the proxy.conf.js file (/**) and set the header within the onProxyRes method like so:

    onProxyRes: (proxyRes, req, res) => {
      proxyRes.headers['Content-Security-Policy'] = 'default-src \'self\' \'unsafe-eval\' \'unsafe-inline\'';
    }

But this method does not get triggered.

[filipesilva]

I'm sorry to be the bearer of bad news, but ng serve is not meant to be a high fidelity reproduction of a real production environment. As such we don't intend on adding options to increase fidelity in general.

You still have a couple of approaches you can take though. Using a proxy should work, as should using ng build --watch and a different server.

I understand you've tried to use proxy.conf.js and that didn't seem to work. We don't add processing to that functionality at all so I suggest checking out https://webpack.js.org/configuration/dev-server/#devserverproxy (this is the functionality we expose) and if something is broken report it on the webpack issue trackers. You can also use another proxy that you provide yourself and that forwards calls to the ng serve addresses.

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}