Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How do I remove response headers? #2269

Open
alilland opened this issue Jun 15, 2022 · 1 comment
Open

How do I remove response headers? #2269

alilland opened this issue Jun 15, 2022 · 1 comment
Labels
question

Comments

@alilland
Copy link

alilland commented Jun 15, 2022
edited

Many application frameworks provide the ability to remove response headers, how is this done in Grape?

I see there is stuff like version 'v1', using: :header, vendor: 'twitter', cascade: false to turn off certain headers, but I want to harden my webserver and remove them completely.

My goal is to implement the same headers that the expressJS library "helmet" uses to harden nodejs servers, but at the same time the same library removes headers for you like X-Powered-By, which in my case is added by my Passenger server, which does not provide me with the ability to remove it...

< Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
< ETag: W/"3e-DqINi7yil7BpHYD6XuyvL1LYGGo"
< Expect-CT: max-age=0
< Referrer-Policy: no-referrer
< Strict-Transport-Security: max-age=15552000; includeSubDomains
< Vary: Accept-Encoding
< X-Content-Type-Options: nosniff
< X-DNS-Prefetch-Control: off
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-XSS-Protection: 0

I see that many libraries provide the ability to remove headers, but I cant find the response variable where response headers are kept in order to edit it
for instance:

ExpressJS
app.use(function (req, res, next) {
  res.header('Pragma', 'no-cache');
  res.removeHeader('Pragma');
  next();
});
Rails
response.headers['Connection'] = 'Closed'
remove_keys = %w(X-Runtime Cache-Control Server Etag Set-Cookie)
response.headers.delete_if{|key| remove_keys.include? key}
@dblock
Copy link
Member

dblock commented Jun 15, 2022
edited

You can set headers with header, so header X, nil will remove it, same as in Rails. See https://github.com/ruby-grape/grape/blob/master/lib/grape/endpoint.rb#L273 where headers are returned to the rack middleware stack. That said, there's a whole set of other middleware involved in a response, and each may be altering/adding/removing headers, thus depending on how Grape is mounted removing something may not actually be removing it (because another middleware, e.g. rack-cache, would re-add it.

So the answer is "it depends" and "grape might not be the right place to do it". Do you have a running example where a header is returned that you want removed?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dblock @alilland