Support disabling default Server and Date headers #818
Conversation
There was a problem hiding this comment.
Hi @stiiin sorry for getting back this late,
could you please if you still fancy doing it rebase this PR and adapt your tests to the new "layout" we setup for tests, reading current tests this should be fairly easy, if you dont have time let me know I'll pursue this PR.
|
also if you can find again the relevant part of the RFC that would be awesome to keep it written here for future reference, thanks ! |
|
Hi @euri10! I rebased my changes, but without running tests. Let's see if the workflow likes it.
I already mentioned a section of the RFC in the commit message for the Date header change. Is that what you were looking for, or was it something else? |
|
the CI fails, you can use you also can use and thanks for the rfc, date: https://datatracker.ietf.org/doc/html/rfc7231#section-7.1.1.2 |
|
Sorry for the failed run, I should've just looked around a bit more to find the linter and test run script. After fixing the linter issues, it seems I messed up the rebase in a way that removed the behaviour for the Date header, so I re-implemented that. Please review those changes, maybe the naming or the style could be better. I've changed the commit message about the Server option so that it refers to 7.4.2 from the same RFC, where the wording implies that the Server header is optional. |
|
You're right, I should've acted on my other gut feeling ;) If you don't mind, I'll amend my changes rather than using Github's commit feature. At least I know what's going to happen if I do it through git's CLI. |
Section 7.4.2 of RFC 7231 states that "an origin server MAY generate a Server field in its responses." The "MAY" means that sending this header is entirely optional. While the implementation of encode#321 allowed applications to override the Server header, there was no way to disable the Server header altogether. By default, uvicorn adds a Server header to each response that doesn't have one through other means. This change adds the server_header flag to Config, as well as the commandline option --no-server-header, through which this behaviour can be disabled.
When an origin server does not have a sufficiently reliable clock, section 7.1.1.2 of RFC 7231 stipulates that it "MUST NOT" send a Date header field. By default, uvicorn adds a Date header to each response. This change adds the date_header flag to Config, as well as the commandline option --no-date-header, through which this behaviour can be disabled.
|
thanks a lot @stiiin ! |
| @@ -36,6 +36,20 @@ async def test_override_server_header(): | |||
| ) | |||
|
|
|||
|
|
|||
| @pytest.mark.asyncio | |||
| async def test_disable_default_server_header(): | |||
There was a problem hiding this comment.
| async def test_disable_default_server_header(): | |
| async def test_disable_server_header(): |
|
|
||
|
|
||
| @pytest.mark.asyncio | ||
| async def test_disable_default_date_header(): |
There was a problem hiding this comment.
| async def test_disable_default_date_header(): | |
| async def test_disable_date_header(): |
| "--server-header/--no-server-header", | ||
| is_flag=True, | ||
| default=True, | ||
| help="Enable/Disable default Server header.", |
There was a problem hiding this comment.
| help="Enable/Disable default Server header.", | |
| help="Enable/Disable server header.", |
There was a problem hiding this comment.
I think the distinction in the help text would still be somewhat helpful. You can always issue a Server header from the application code, right?
| "--date-header/--no-date-header", | ||
| is_flag=True, | ||
| default=True, | ||
| help="Enable/Disable default Date header.", |
There was a problem hiding this comment.
| help="Enable/Disable default Date header.", | |
| help="Enable/Disable date header.", |
* Support disabling default Server header (#688) Section 7.4.2 of RFC 7231 states that "an origin server MAY generate a Server field in its responses." The "MAY" means that sending this header is entirely optional. While the implementation of #321 allowed applications to override the Server header, there was no way to disable the Server header altogether. By default, uvicorn adds a Server header to each response that doesn't have one through other means. This change adds the server_header flag to Config, as well as the commandline option --no-server-header, through which this behaviour can be disabled. * Support disabling default Date header When an origin server does not have a sufficiently reliable clock, section 7.1.1.2 of RFC 7231 stipulates that it "MUST NOT" send a Date header field. By default, uvicorn adds a Date header to each response. This change adds the date_header flag to Config, as well as the commandline option --no-date-header, through which this behaviour can be disabled.
* Support disabling default Server header (encode#688) Section 7.4.2 of RFC 7231 states that "an origin server MAY generate a Server field in its responses." The "MAY" means that sending this header is entirely optional. While the implementation of encode#321 allowed applications to override the Server header, there was no way to disable the Server header altogether. By default, uvicorn adds a Server header to each response that doesn't have one through other means. This change adds the server_header flag to Config, as well as the commandline option --no-server-header, through which this behaviour can be disabled. * Support disabling default Date header When an origin server does not have a sufficiently reliable clock, section 7.1.1.2 of RFC 7231 stipulates that it "MUST NOT" send a Date header field. By default, uvicorn adds a Date header to each response. This change adds the date_header flag to Config, as well as the commandline option --no-date-header, through which this behaviour can be disabled.
As described in the individual commit messages, this pull request adds configuration flags to control the default Server and Date headers. With these flags, the Server header can be entirely removed rather than overwritten, and the Date header can be suppressed in (the extremely rare) case that HTTP/1.1 requires an origin server to do so.
Fixes #688