Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: override all response headers (not just their values) #1440

Closed
fireproofsocks opened this issue Feb 27, 2020 · 5 comments
Closed

Feature: override all response headers (not just their values) #1440

fireproofsocks opened this issue Feb 27, 2020 · 5 comments

Comments

@fireproofsocks
Copy link

fireproofsocks commented Feb 27, 2020
edited

While trying to obfuscate server info for a Phoenix website, I noticed that Cowboy always sends the date and server headers. Due to how the response headers are merged inside cowboy_req.erl, the keys will always be present in the merged map. The best that can be done currently is to set the server value to be an empty string. However, it would be nicer if it were possible to omit those headers entirely.

In other words, the default headers might look like this:

curl -I http://cowboy-powered-app.localhost/
HTTP/1.1 200 OK
date: Wed, 26 Feb 2020 23:49:34 GMT
server: Cowboy

It's possible to set the values to empty strings and achieve an output like the following:

curl -I http://cowboy-powered-app.localhost/
HTTP/1.1 200 OK
date: 
server:

but ideally, it would be better if the default headers could be overridden in their entirety and the output could be more or less empty, e.g.

curl -I http://cowboy-powered-app.localhost/
HTTP/1.1 200 OK
@essen
Copy link
Member

essen commented Feb 27, 2020

You can remove them via stream handlers.

I would, however, strongly advise against removing the Date header which is required by HTTP. I would also advise against removing the server header as this doesn't provide any real security.

@essen essen closed this as completed Feb 27, 2020
@fireproofsocks
Copy link
Author

Thanks for the response! (And yes, "security through obscurity" is no real security at all, we just don't want to disclose any unnecessary info). Do you perhaps have a link to an example of a stream handler?

@essen
Copy link
Member

essen commented Feb 27, 2020

There's a bunch in Cowboy itself and in tests. Look at the modules finishing with _h.

@OvermindDL1
Copy link

As I recall the Date header is required for some HTTP usages but is not required for all, and is indeed not used in some areas like embedded web servers, which is the main usecase for when the HTTP spec says it's not required, and nerves does exist for embedded erlang. ^.^

@essen
Copy link
Member

essen commented Feb 27, 2020

https://tools.ietf.org/html/rfc7231#section-7.1.1.2

   An origin server MUST NOT send a Date header field if it does not
   have a clock capable of providing a reasonable approximation of the
   current instance in Coordinated Universal Time.  An origin server MAY
   send a Date header field if the response is in the 1xx
   (Informational) or 5xx (Server Error) class of status codes.  An
   origin server MUST send a Date header field in all other cases.

If you have a good clock, it's required to send it, if you don't, it's required not to. In some embedded cases you wouldn't have a clock for sure but things like the Pi and others are more than capable of generating the header. And the cases without a clock are probably better off using CoAP or similar anyway.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@essen @fireproofsocks @OvermindDL1