Skip to content
This repository has been archived by the owner on Dec 18, 2018. It is now read-only.

Automatically add "Server" header to responses #138

Closed
halter73 opened this issue Jul 21, 2015 · 8 comments
Closed

Automatically add "Server" header to responses #138

halter73 opened this issue Jul 21, 2015 · 8 comments
Assignees
@halter73
Labels
3 - Done enhancement
Milestone
1.0.0-beta7

Comments

@halter73
Copy link
Member

This is required by TechEmpower benchmarks.
@muratg muratg added this to the 1.0.0-beta7 milestone Jul 22, 2015
@halter73 halter73 mentioned this issue Jul 30, 2015
Closed
@Daniel15
Copy link
Contributor

Is it worth adding something like X-Powered-By too? The server header is usually overwritten by reverse proxies (eg. Nginx).

@benaadams
Copy link
Contributor

Also X-AspNet-Version however, both X-Powered-By and X-AspNet-Version should be able to be switched off. This is probably a good reference to be aware of: https://scotthelme.co.uk/hardening-your-http-response-headers/

Powered by and aspnet version are covered near the bottom.

@Daniel15
Copy link
Contributor

I like X-Powered-By and Server headers because they help in estimating how many people are using a particular technology, but I do agree that it should be possible to turn it off. Maybe have three options:

  1. Full name + version (eg. Server: Kestrel/1.2.3456 and X-Powered-By: ASP.NET 5.0.xxxxx)
  2. Name without version (eg. Server: Kestrel and X-Powered-By: ASP.NET)
  3. Nothing at all

@benaadams
Copy link
Contributor

However; you'd want the fast path to be with them disabled as that's what you'd want to test on plaintext as it would push the header to payload ratio to heavy disadvantage. Equally you'd want them to default to on as I don't think anyone would go out of their way to switch them on.

So at that point I assume its more of a PR/Marketing question around what approach you want for internet server stat gatherers.

@benaadams
Copy link
Contributor

Maybe versions/powered by could be middleware like CORS and be added by default on file->new like static files; but not added on New->Empty?

@halter73
Copy link
Member Author

I guess I marked this as done too soon:

  • I think adding an X-Powered-By header makes sense if the Server header is usually overridden by proxies. It can be removed/edited like the other headers by modifying the header dictionary. Do we think X-Powered-By: ASP.NET 5.0.xxxxx is the best default?
  • I think we all agree the Server header should have a version by default.
  • I think X-AspNet-Version should be added by either the Hosting, MVC or some other middleware like @benaadams suggests. This is something we want for Helios and WebListener as well.

This issue is assigned to the beta7 milestone meaning it should be finished by this Friday. I think we should create another issue to track anything that we don't decide on by then.

@davidfowl @DamianEdwards @lodejard Do you have any opinions on this?

@benaadams
Copy link
Contributor

I guess marked marked this done too soon

Probably not :) This change plus the Date one means Kestrel is in compliance with the http spec which is the important thing.

The headers X-Powered-By and X-AspNet-Version you might want; but they aren't particularly important from a technical standpoint; but you are right they should be live in a different issue.

@DamianEdwards
Copy link
Member

Yeah I'd add another issue for that.

@DamianEdwards DamianEdwards mentioned this issue Aug 14, 2015
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@halter73 halter73

Labels
3 - Done enhancement
Projects
None yet
Milestone
1.0.0-beta7
Development

No branches or pull requests
5 participants
@halter73 @Daniel15 @DamianEdwards @benaadams @muratg