Unable to remove the X-Powered-By header when using onRequest()

[SDrinkwater]

Related issues

[REQUIRED] Version info

node: 10.20.1

firebase-functions: 3.9.0

firebase-tools: 8.4.2

firebase-admin: 9.0.0

[REQUIRED] Test case

Deploy the following function, or run it locally with the firebase emulator:

import * as express from 'express';
import { https } from 'firebase-functions';

const app = express();
app.disable('x-powered-by');

app.get('/test', (_req, res) => {
  res.status(200).end();
});

export const api = https.onRequest(app);

[REQUIRED] Steps to reproduce

Run the following command in your terminal (update the url to match the project - this example is using the base emulator url):

curl -i http://localhost:5001/{project-name/hosting-location}/api/test

Notice that the x-powered-by header comes back populated with Express.

[REQUIRED] Expected behavior

I would expect to have full control over which headers are returned with the response when using https.onRequest(). Regardless of which approach I use, this header always gets populated.

I have tried the following approaches:

app.disable('x-powered-by')

app.use(function (req, res, next) {  
  res.removeHeader("x-powered-by");
  next();
});

app.set('x-powered-by', false);  

[REQUIRED] Actual behavior

The x-powered-by header always gets populated with Express.

Were you able to successfully deploy your functions?

Yes, everything deploys successfully with no errors.

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[sk-]

@SDrinkwater I think this issue should be raised in https://github.com/GoogleCloudPlatform/functions-framework-nodejs, which is the underlying framework used by cloud functions.

[rhodgkins]

Anyone any ideas how long till the fix in functions-framework-nodejs will be released?

[joehan]

Hi all, I'm going to close this issue since it is unfortunately out of the control of the maintainers of this repo.

Separately, I've reached out to the maintainers of functions-framework-nodejs to see if there will be a release anytime soon. If I hear back, I will update here. Otherwise, if you are facing this issue, your best bet is to ask about the next release on that repo.

[vpanyushenko]

For those of you who are still waiting on a fix, I would recommend you just manually change the x-powered-by header to some nonsense value instead of Express. You can do this right before you send the response:

    res.setHeader("x-powered-by", "Whatever you want");
    res.status(200).json({});