Version 2.1

- bpoVaryAcceptEncoding now supports content created by the inheried class
- bpoDeleteXPoweredBy was excluded from DEFAULT_BOILERPLATE_OPTIONS

.gitattributes

@@ -1 +1,2 @@
 * text=auto
+Tests/Assets/* binary

BoilerplateHTTPServer.pas

@@ -89,6 +89,11 @@
   - Deprecation of Iframes cookies support in Internet Explorer
   - TAssets.SaveAssets remove regexp for assets matching
     (this excludes dependency over SynTable.pas)
+
+  Version 2.1
+  - bpoVaryAcceptEncoding now supports content created by the inheried class
+  - bpoDeleteXPoweredBy was excluded from DEFAULT_BOILERPLATE_OPTIONS
+
 *)
 
 interface
@@ -244,8 +249,7 @@ interface
     // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
     // https://tools.ietf.org/html/rfc7034
     // https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/
-    // https://www.owasp.org/index.php/Clickjacking    //
-    // - Use TBoilerplateHTTPServer.FileTypesAsset to exclude some file types
+    // https://www.owasp.org/index.php/Clickjacking
     bpoSetXFrameOptions,
 
     /// Block access to files that can expose sensitive information.
@@ -863,7 +867,6 @@   TBoilerplateHTTPServer = class(TSQLHttpServer)
     bpoPreventMIMESniffing,
     bpoEnableXSSFilter,
     bpoEnableReferrerPolicy,
-    bpoDeleteXPoweredBy,
     bpoFixMangledAcceptEncoding,
     bpoForceGZipHeader,
     bpoSetCachePublic,
@@ -1712,7 +1715,8 @@ function TBoilerplateHTTPServer.Request(Context: THttpServerRequest): Cardinal;
     DeleteCustomHeader(Context, 'SERVER-INTERNALSTATE:');
 
   if (bpoVaryAcceptEncoding in LOptions) and
-    (Asset <> nil) and (Asset.GZipExists or Asset.BrotliExists) then
+    ((Asset = nil) or
+     (Asset <> nil) and (Asset.GZipExists or Asset.BrotliExists)) then
   begin
     Vary := DeleteCustomHeader(Context, 'VARY:');
     if Vary <> '' then

ChangeLog.md

@@ -74,3 +74,7 @@ Version 2.0
  - Deprecation of Iframes cookies support in Internet Explorer
  - TAssets.SaveAssets remove regexp for assets matching
    (this excludes dependency over SynTable.pas)
+
+Version 2.1
+ - bpoVaryAcceptEncoding now supports content created by the inheried class
+ - bpoDeleteXPoweredBy was excluded from DEFAULT_BOILERPLATE_OPTIONS

Tests/BoilerplateTests.pas

@@ -51,9 +51,9 @@   TBoilerplateHTTPServerShould = class(TSynTestCase)
     procedure Delegate404ToInherited_404;
     procedure RegisterCustomOptions;
     procedure UnregisterCustomOptions;
-    procedure SetVaryAcceptEncoding;
     procedure RedirectInInherited_404;
     procedure UpdateStaticAsset;
+    procedure SetVaryAcceptEncoding;
   end;
 
   TBoilerplateFeatures = class(TSynTests)
@@ -645,17 +645,15 @@ procedure TBoilerplateHTTPServerShould.Delegate404ToInherited_404;
   begin
     GivenClearServer;
     GivenAssets;
-    GivenInHeader('Host', 'localhost');
     GivenOptions([bpoDelegateBadRequestTo404]);
-    WhenRequest('123456');
+    WhenRequest('123456', 'localhost');
     ThenOutContentEqualsFile('Assets\404.html');
     ThenRequestResultIs(HTTP_NOTFOUND);
 
     GivenClearServer;
     GivenAssets;
-    GivenInHeader('Host', 'localhost');
     GivenOptions([bpoDelegateBadRequestTo404, bpoDelegate404ToInherited_404]);
-    WhenRequest;
+    WhenRequest('', 'localhost');
     ThenOutContentIs('404 NOT FOUND');
     ThenRequestResultIs(HTTP_NOTFOUND);
   end;
@@ -1279,17 +1277,15 @@ procedure TBoilerplateHTTPServerShould.DelegateIndexToInheritedDefault;
   begin
     GivenClearServer;
     GivenAssets;
-    GivenInHeader('Host', 'localhost');
     GivenOptions([bpoDelegateRootToIndex]);
-    WhenRequest;
+    WhenRequest('', 'localhost');
     ThenOutContentEqualsFile('Assets\index.html');
     ThenRequestResultIs(HTTP_SUCCESS);
 
     GivenClearServer;
     GivenAssets;
-    GivenInHeader('Host', 'localhost');
     GivenOptions([bpoDelegateRootToIndex, bpoDelegateIndexToInheritedDefault]);
-    WhenRequest;
+    WhenRequest('', 'localhost');
     ThenOutContentIs('DEFAULT CONTENT');
     ThenRequestResultIs(HTTP_SUCCESS);
   end;
@@ -1306,9 +1302,8 @@ procedure TBoilerplateHTTPServerShould.DelegateIndexToInheritedDefaultOverSSL;
   begin
     GivenClearServer;
     GivenAssets;
-    GivenInHeader('Host', 'localhost');
     GivenOptions([bpoDelegateRootToIndex, bpoDelegateIndexToInheritedDefault]);
-    WhenRequest('', '', True);
+    WhenRequest('', 'localhost', True);
     ThenOutContentIs('DEFAULT CONTENT');
     ThenRequestResultIs(HTTP_SUCCESS);
   end;
@@ -1518,8 +1513,7 @@ procedure TBoilerplateHTTPServerShould.RedirectInInherited_404;
   begin
     GivenClearServer;
     GivenOptions([bpoDelegateBadRequestTo404, bpoDelegate404ToInherited_404]);
-    GivenInHeader('Host', 'localhost');
-    WhenRequest('123456');
+    WhenRequest('123456', 'localhost');
     ThenApp404Called;
   end;
 end;
@@ -2045,6 +2039,20 @@ procedure TBoilerplateHTTPServerShould.SetVaryAcceptEncoding;
     GivenOptions([bpoVaryAcceptEncoding]);
     WhenRequest('/img/marmot.jpg');
     ThenOutHeaderValueIs('Vary', '');
+
+    GivenClearServer;
+    GivenOptions([bpoDelegateIndexToInheritedDefault]);
+    GivenAssets;
+    WhenRequest('/default', 'localhost');
+    ThenRequestResultIs(HTTP_SUCCESS);
+    ThenOutHeaderValueIs('Vary', '');
+
+    GivenClearServer;
+    GivenOptions([bpoDelegateIndexToInheritedDefault, bpoVaryAcceptEncoding]);
+    GivenAssets;
+    WhenRequest('/default', 'localhost');
+    ThenRequestResultIs(HTTP_SUCCESS);
+    ThenOutHeaderValueIs('Vary', 'Accept-Encoding');
   end;
 end;