How to set headers for a React app created using 'create-react-app'

Asked 18/4, 2018 at 9:56 Answered 27/3, 2022 at 16:21

I created a sample react app using "create-react-app". I need to set the request headers with X-Frame-options and Content-Security-Policy. How do I do this? I just tried to update my index.html with the below code, but I'm not sure whether this it's right or not. Can anyone help with this?

   <meta http-equiv="Content-Security-Policy" content="frame-ancestors 'none'">
   <meta http-equiv="X-Frame-Options" content="SAMEORIGIN">

Haydeehayden answered 18/4, 2018 at 9:56 Comment(3)

update the index.html should be fine .. – Vitebsk 18/4, 2018 at 9:57

Could you elaborate about what you are referring to? Are you referring to request headers as in the http headers when you are sending an HTTP request to an API endpoint? – Paramnesia 18/4, 2018 at 10:47

@Jackyef: I want to send the http response headers with x-Frame-Options that instruct the browser to restrict framing where it is not allowed. – Haydeehayden 18/4, 2018 at 11:58

You have to override some webpack config that comes with create-react-app and add "X-Frame-Options": "SAMEORIGIN".

But in CRA, you can't do that directly with a webpack.config.js. You gotta use a package that rewires the way CRA start / build your app. Here are the rewiring packages you can use:

react-app-rewired (CRA v1)
customize-cra or rescript (CRA v2)
craco (CRA v3)

To know which CRA version you used, you can roughly follow the react-scripts version in your package.json.

craco

I succeeded with this craco config!!! In craco.config.js:

module.exports = {
    webpack: {
        headers: {
            'X-Frame-Options': 'Deny'
        }
    }
}

(I tested by scanning in Burpsuite; the Frameable Response issue was gone.)

Reference: How to set alias path via webpack in CRA (create-react-app) and craco?

react-app-rewired

I THINK you could try this, BUT I haven't tested it. In config-overrides.js:

module.exports = {
    devServer: function(configFunction) {
        return function(proxy, allowedHost) {
            const config = configFunction(proxy, allowedHost)
            config.headers = {
                'X-Frame-Options': 'Deny'
            }
            return config
        }
    }
}

Reference: Create React App adding CORS header

*I may have loosely gotten the versions wrongly, please correct if so.

Alienist answered 7/7, 2020 at 11:9 Comment(3)

The sample for react-app-rewired works, I confirm. – Extraneous 26/5, 2021 at 5:10

THANK YOU! THIS WAS SO HELPFUL! Now if anyone can tell me why the headers work locally but now when deployed to Heroku (using react-app-rewired), I would be even more grateful :D – Handbill 23/9, 2021 at 16:32

With Craco 6.1 I had to set the devServer export instead: module.exports = { devServer: (cfg) => { cfg.headers = { 'X-Frame-Options': 'Deny' }; return cfg }, ... – Faggoting 7/2, 2022 at 10:32

Simply modifying index.html as you have is not sufficient, at least for X-Frame-Options. Per OWASP:

Common Defense Mistakes

Meta-tags that attempt to apply the X-Frame-Options directive DO NOT WORK. For example, ) will not work. You must apply the X-FRAME-OPTIONS directive as HTTP Response Header...

MDC has a similar warning.

I spent some time looking, but didn't find a way to set X-Frame-Options in React itself. There are ways to do it at the server level or in other languages (e.g. for Tomact, or in Java, or with webpack, or configure it with Spring Security), which may or may not be helpful to you.

React doesn't seem to support Content-Security-Policy either... at least not as of 2013, and I searched but did not find any more recent change in position.

Matusow answered 24/4, 2018 at 21:57 Comment(3)

With all that being said, I would love it if I just missed something and someone could point to a way to do this in React. – Matusow 24/4, 2018 at 21:58

Yes, if somebody have any solution for how to do it in reactjs please reply – Hydnocarpate 21/5, 2020 at 7:23

I used craco to inject a few headings for webpack's devServer, which is what npm start with CRA uses. worked first time. headers: { 'Cross-Origin-Opener-Policy': 'same-origin', 'Cross-Origin-Embedder-Policy': 'require-corp', }, craco is a bit of a commitment, though. It helps if you've been driven crazy by the problem you're trying to solve. – Randle 12/3, 2023 at 4:35

If you are talking specifically for the dev server, you can configure the underlying express instance using the 'manually configure proxy' process.

You can set headers there:

// src/setupProxy.js

module.exports = function(app) {
  app.use((req, res, next) => {
    res.set({
        'foo': 'bar'
    });
      next();
  }); 
};

Girish answered 29/6, 2021 at 5:15 Comment(0)

For react-scripts start update your src/setupProxy.js:

module.exports = function (app) {
  app.use(function (req, res, next) {
    res.setHeader("X-Frame-Options", "DENY");
    next();
  });
};

If you in the Heroku and use buildpacks update static.json:

{
  "root": "build/",
  "https_only": true,
  "clean_urls": true,
  "routes": {
    "/**": "index.html"
  },
  "headers": {
    "/**": {
      "X-Frame-Options": "DENY"
    }
  }
}

If you host your app via Apache (production):

RequestHeader setIfEmpty X-Frame-Options "DENY"

or for older (pre-v2.4.7) with set:

<Location /app>
    RequestHeader set X-Frame-Options  "DENY"
</Location>

Stouthearted answered 27/3, 2022 at 16:21 Comment(0)

x-frame-options and content-security-policy are response headers and not request headers. So you need to put it on server and not in react app (client)

Setting answered 3/12, 2021 at 6:17 Comment(0)

craco

react-app-rewired

Common Defense Mistakes

Recommended topics

Hot tags