Unable to remove response header #206
Comments
|
Hi @SDrinkwater, https://expressjs.com/en/api.html#res.send The |
|
I'd also like to see this functionality added as we are also trying to remove the @grant I think this header is coming from this library as it creates the express app: functions-framework-nodejs/src/invoker.ts Line 349 in 5d61008 The default setting for Then any sub-apps that are used for client function routes have their You can try it with the following: const app = express()
app.get('/', (req, res) => {
res.send('Will have x-powered-by header')
})
const subapp = express()
subapp.disable('x-powered-by')
subapp.all('*', (req, res) => {
res.send(`Will still have x-powered-by header despite being disabled: subapp.enabled('x-powered-by')=${subapp.enabled('x-powered-by')}`)
})
app.use('/subapp', subapp)
// Matches how functions are called
app.all('/calledsubapp', (req, res, next) => {
subapp(req, res, next)
})Querying the main app: Querying the sub app: Querying the called sub app: Adding in Also the docs even explicitly recommend disabling this header. |
|
Happy to do a PR (with some tests) to at least disable the |
|
Oh, I don't think this header is intentionally added.
It looks like we should add helmet. https://www.npmjs.com/package/helmet#how-it-works |
|
Hi folks, LMK if there are other issues with removing that response header. |
|
This issue should not be closed or at least another issue about Even using helmet my above reproduction steps still apply for that header as it’s being set at a level where the end function user can’t reach. |
|
@grant Can we please reopen this issue. The comment you linked #214 (comment) doesn't solve the problem, it just suggests why helmet shouldn't be installed by default. The problem really comes down the fact that we don't have access to the root |
|
@SDrinkwater Sure, I can re-open. Did exporting an express app with helmet middleware not solve the issue? That should intercept all requests and is essentially the root app (the root app routes all requests to your app). And Can you provide reproduction steps and expected/actual behavior you are seeing with code? |
|
@grant Alright, looks like I might have jumped the gun. Adding helmet to an express function does remove the header, as does the following code: const app = express();
app.use((_req, res, next) => {
res.removeHeader("X-Powered-By");
next();
});
app.use(testFunction);
function testFunction(req, res) {
res.send("Hello World");
}
exports.testFunction = app;However, I originally raised this issue as a suggestion from another very similar issue raised in the This library is apparently the underlying framework used by firebase cloud functions and hence the question posted here. Using the above technique doesn't remove the header when used with firebase-functions |
|
Thanks for working through this. If the only ask is to remove the header, I think adding a line to remove it wouldn't be contested: app.disable('x-powered-by');Here: functions-framework-nodejs/src/server.ts Line 87 in 63cb628 I think there was some contention with adding Previous thoughtsI don't mean to juggle the issue, but if there is a way in this repo/module to remove the header, but a consumer (Firebase Functions) doesn't support this solution, that sounds like it should be triaged with Firebase Functions. The Functions Framework supports Express middleware so you can In the PR, we talked about adding Helmet, but we're sure if we wanted to add every feature and if all users wanted that #214 (comment). |
There doesn't seem to be a way to remove a response header. I am trying to remove the X-Powered-By header. I am only able to set its value, through which I can effectively achieve the same result, but it would be nice to be able to actually remove the header.
Is there some way to achieve this?
Issue originally raised here: firebase/firebase-functions#754
The text was updated successfully, but these errors were encountered: