New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: override all response headers (not just their values) #1440
Comments
You can remove them via stream handlers. I would, however, strongly advise against removing the Date header which is required by HTTP. I would also advise against removing the server header as this doesn't provide any real security. |
Thanks for the response! (And yes, "security through obscurity" is no real security at all, we just don't want to disclose any unnecessary info). Do you perhaps have a link to an example of a stream handler? |
There's a bunch in Cowboy itself and in tests. Look at the modules finishing with |
As I recall the Date header is required for some HTTP usages but is not required for all, and is indeed not used in some areas like embedded web servers, which is the main usecase for when the HTTP spec says it's not required, and nerves does exist for embedded erlang. ^.^ |
https://tools.ietf.org/html/rfc7231#section-7.1.1.2
If you have a good clock, it's required to send it, if you don't, it's required not to. In some embedded cases you wouldn't have a clock for sure but things like the Pi and others are more than capable of generating the header. And the cases without a clock are probably better off using CoAP or similar anyway. |
While trying to obfuscate server info for a Phoenix website, I noticed that Cowboy always sends the
date
andserver
headers. Due to how the response headers are merged insidecowboy_req.erl
, the keys will always be present in the merged map. The best that can be done currently is to set theserver
value to be an empty string. However, it would be nicer if it were possible to omit those headers entirely.In other words, the default headers might look like this:
It's possible to set the values to empty strings and achieve an output like the following:
but ideally, it would be better if the default headers could be overridden in their entirety and the output could be more or less empty, e.g.
The text was updated successfully, but these errors were encountered: