Can't serve secure headers from within `rootPath`

[philandstuff]

I was trying to use this module to add Content-Security-Policy to an existing dropwizard app. We serve HTML from our Dropwizard Resources, so our html responses are served from within dropwizard's rootPath.

However, this library deliberately avoids injecting security headers within the rootPath. This behaviour seems to be hardcoded. The use case seems to be where you use things like IndexPageBundle to serve html from outside the rootPath, and you use your Dropwizard Resources to serve data (ie not html) only (and therefore your Dropwizard resources do not need security headers).

This means I can't use dropwizard-web-security to serve secure headers for my app, because the isJerseyRequest condition avoids injecting secure headers within rootPath, which is exactly where I want them to be injected.

This might be an implementation issue, or it might be a documentation issue. I don't really understand whether dropwizard-web-security is intended to fit my use case or not. But I think either one of these should be the case:

• it should be possible to disable the isJerseyRequest filtering, or
• the README should make it clear that secure headers are not served for requests inside Dropwizard's rootPath

[mpbarnwell]

I've encountered this issue as well, I'm trying to understand the logic behind the isJerseyRequest filtering - is this a case of static assets vs API calls? It seems like it would be safer to apply to content security headers to all calls, assets or not, even if its a bit wasteful.