HTTP Security Headers

Origin Response Headers

A Pugpig Connector should return the correct headers to indicator to upstream caches which content should be internal, protected or publically available. 

The following headers are used:


The entitlement required to access this resource. If an edition is free, then this is not supplied. If the edition is protected, the value will be the ID of the edition, for example 'com.pugpig.edition01'. If the edition is sampleable, the Atom feed will be freely available, and only the protected HTML and manifest files will have the header.


This is either 'published' or 'unpublished' - content that is unpublished should only ever be shown to internal users

Authentication Request Headers

Different systems will use different authentication tokens. These are generated on the server using the Edition Credentials calls, which take either a vendor store receipt (iTunes/Google/etc) or third party subscription credentials.

These credentials are later passed in the every request to the protected content as an HTTP Header (often the Authorization Header) or a Cookie header. This token will allow access to a single entitlement (if a hash is used) or to a set of entitlements/paths (if encryption is used).

Edge Authentication Logic

If you are using these headers for Edge Authentication, the logic you should apply is as follows. Note we always return a 403 Forbidden, not a 401, as some devices will pop up the embedded authentication dialog asking for credentials that a human will never know.

// Don't allow access to internal content
if (X-Pugpig-Status == 'unpublished') return 403;

// Always allow access to free/public content
if (X-Pugpig-Entitlement is empty) return 200;

// Get the credentials from the request header, and check if it grants access to 
// the requested resource if (resourceIsAllowed(credentials)) return 200; else return 403;
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request


Powered by Zendesk