Add ability to send custom HTTP headers

src/webui/api/appcontroller.cpp

@@ -243,6 +243,9 @@ void AppController::preferencesAction()
     data["web_ui_csrf_protection_enabled"] = pref->isWebUiCSRFProtectionEnabled();
     data["web_ui_secure_cookie_enabled"] = pref->isWebUiSecureCookieEnabled();
     data["web_ui_host_header_validation_enabled"] = pref->isWebUIHostHeaderValidationEnabled();
+    // Custom HTTP headers
+    data["web_ui_use_custom_http_headers_enabled"] = pref->isWebUICustomHTTPHeadersEnabled();
+    data["web_ui_custom_http_headers"] = pref->getWebUICustomHTTPHeaders();
     // Update my dynamic domain name
     data["dyndns_enabled"] = pref->isDynDNSEnabled();
     data["dyndns_service"] = pref->getDynDNSService();
@@ -623,6 +626,11 @@ void AppController::setPreferencesAction()
         pref->setWebUiSecureCookieEnabled(it.value().toBool());
     if (hasKey("web_ui_host_header_validation_enabled"))
         pref->setWebUIHostHeaderValidationEnabled(it.value().toBool());
+    // Custom HTTP headers
+    if (hasKey("web_ui_use_custom_http_headers_enabled"))
+        pref->setWebUICustomHTTPHeadersEnabled(it.value().toBool());
+    if (hasKey("web_ui_custom_http_headers"))
+        pref->setWebUICustomHTTPHeaders(it.value().toString());
     // Update my dynamic domain name
     if (hasKey("dyndns_enabled"))
         pref->setDynDNSEnabled(it.value().toBool());

src/webui/webapplication.cpp

@@ -347,6 +347,27 @@ void WebApplication::configure()
             : QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none'; form-action 'self';"))
         + (m_isClickjackingProtectionEnabled ? QLatin1String(" frame-ancestors 'self';") : QLatin1String(""))
         + (m_isHttpsEnabled ? QLatin1String(" upgrade-insecure-requests;") : QLatin1String(""));
+
+    m_useCustomHTTPHeaders = pref->isWebUICustomHTTPHeadersEnabled();
+    m_customHTTPHeaders.clear();
+    if (m_useCustomHTTPHeaders) {
+        const QString customHeaders = pref->getWebUICustomHTTPHeaders().trimmed();
+        const QVector<QStringRef> customHeaderLines = customHeaders.splitRef('\n', QString::SkipEmptyParts);
+        m_customHTTPHeaders.reserve(customHeaderLines.size());
+
+        for (const QStringRef &line : customHeaderLines) {
+            const int idx = line.indexOf(':');
+            if (idx < 0) {
+                // require separator `:` to be present even if `value` field can be empty
+                LogMsg(tr("Missing ':' separator in WebUI custom HTTP header: \"%1\"").arg(line.toString()), Log::WARNING);
+                continue;
+            }
+
+            const QString header = line.left(idx).trimmed().toString();
+            const QString value = line.mid(idx + 1).trimmed().toString();
+            m_customHTTPHeaders.push_back({header, value});
+        }
+    }
 }
 
 void WebApplication::registerAPIController(const QString &scope, APIController *controller)
@@ -451,6 +472,11 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
     if (!m_contentSecurityPolicy.isEmpty())
         header(QLatin1String(Http::HEADER_CONTENT_SECURITY_POLICY), m_contentSecurityPolicy);
 
+    if (m_useCustomHTTPHeaders) {
+        for (const CustomHTTPHeader &i : asConst(m_customHTTPHeaders))
+            header(i.name, i.value);
+    }
+
     return response();
 }
 

src/webui/webapplication.h

@@ -157,4 +157,13 @@ private:
     bool m_isHostHeaderValidationEnabled;
     bool m_isHttpsEnabled;
     QString m_contentSecurityPolicy;
+
+    // Custom HTTP headers
+    struct CustomHTTPHeader
+    {
+        QString name;
+        QString value;
+    };
+    bool m_useCustomHTTPHeaders;
+    QVector<CustomHTTPHeader> m_customHTTPHeaders;
 };

src/webui/www/private/views/preferences.html

@@ -787,6 +787,14 @@
                 </table>
             </fieldset>
         </fieldset>
+
+        <fieldset class="settings">
+            <legend>
+                <input type="checkbox" id="webUIUseCustomHTTPHeadersCheckbox" onclick="qBittorrent.Preferences.updateWebUICustomHTTPHeadersSettings();" />
+                <label for="webUIUseCustomHTTPHeadersCheckbox">QBT_TR(Add custom HTTP headers)QBT_TR[CONTEXT=OptionsDialog]</label>
+            </legend>
+            <textarea id="webUICustomHTTPHeadersTextarea" placeholder="QBT_TR(Header: value pairs, one per line)QBT_TR[CONTEXT=OptionsDialog]" style="width: 90%;"></textarea>
+        </fieldset>
     </fieldset>
 
     <fieldset class="settings">
@@ -1139,6 +1147,7 @@
                 updateBypasssAuthSettings: updateBypasssAuthSettings,
                 updateAlternativeWebUISettings: updateAlternativeWebUISettings,
                 updateHostHeaderValidationSettings: updateHostHeaderValidationSettings,
+                updateWebUICustomHTTPHeadersSettings: updateWebUICustomHTTPHeadersSettings,
                 updateDynDnsSettings: updateDynDnsSettings,
                 registerDynDns: registerDynDns,
                 applyPreferences: applyPreferences
@@ -1381,6 +1390,11 @@
             $('webui_domain_textarea').setProperty('disabled', !isHostHeaderValidationEnabled);
         };
 
+        const updateWebUICustomHTTPHeadersSettings = function() {
+            const isEnabled = $('webUIUseCustomHTTPHeadersCheckbox').getProperty('checked');
+            $('webUICustomHTTPHeadersTextarea').setProperty('disabled', !isEnabled);
+        };
+
         const updateDynDnsSettings = function() {
             const isDynDnsEnabled = $('use_dyndns_checkbox').getProperty('checked');
             $('dyndns_select').setProperty('disabled', !isDynDnsEnabled);
@@ -1737,6 +1751,11 @@
                         $('host_header_validation_checkbox').setProperty('checked', pref.web_ui_host_header_validation_enabled);
                         updateHostHeaderValidationSettings();
 
+                        // Custom HTTP headers
+                        $('webUIUseCustomHTTPHeadersCheckbox').setProperty('checked', pref.web_ui_use_custom_http_headers_enabled);
+                        $('webUICustomHTTPHeadersTextarea').setProperty('value', pref.web_ui_custom_http_headers);
+                        updateWebUICustomHTTPHeadersSettings();
+
                         // Update my dynamic domain name
                         $('use_dyndns_checkbox').setProperty('checked', pref.dyndns_enabled);
                         $('dyndns_select').setProperty('value', pref.dyndns_service);
@@ -2100,11 +2119,16 @@
             settings.set('alternative_webui_enabled', alternative_webui_enabled);
             settings.set('alternative_webui_path', webui_files_location_textarea);
 
+            // Security
             settings.set('web_ui_clickjacking_protection_enabled', $('clickjacking_protection_checkbox').getProperty('checked'));
             settings.set('web_ui_csrf_protection_enabled', $('csrf_protection_checkbox').getProperty('checked'));
             settings.set('web_ui_secure_cookie_enabled', $('secureCookieCheckbox').getProperty('checked'));
             settings.set('web_ui_host_header_validation_enabled', $('host_header_validation_checkbox').getProperty('checked'));
 
+            // Custom HTTP headers
+            settings.set('web_ui_use_custom_http_headers_enabled', $('webUIUseCustomHTTPHeadersCheckbox').getProperty('checked'));
+            settings.set('web_ui_custom_http_headers', $('webUICustomHTTPHeadersTextarea').getProperty('value'));
+
             // Update my dynamic domain name
             settings.set('dyndns_enabled', $('use_dyndns_checkbox').getProperty('checked'));
             settings.set('dyndns_service', $('dyndns_select').getProperty('value'));