-- This script is used to set the CSP header based on the value of the
-- incoming host header.
host = HTTPRequest.getHeader("host")
-- Validate the host header.
local validHosts = {
"www.ibm.com",
"gateway.ibm.com"
}
local isValid = false
for index, data in pairs(validHosts) do
if data == host then
isValid = true
break
end
end
-- If the host header is accepted, we add the CSP header to the response,
-- otherwise we return an error page.
if isValid then
HTTPResponse.setHeader("Content-Security-Policy",
string.format("script-src %s;", host))
else
Control.returnErrorPage(
string.format("An invalid host header was received: %s", host))
end