Response timing #315
Response timing #315
Conversation
This is generally considered bad security practice.
| const path = require('path') | ||
|
|
||
| module.exports = function (webhook) { | ||
| const app = express() | ||
| app.set('x-powered-by', false) |
There was a problem hiding this comment.
I encourage you to read this statement from an Express maintainer about this issue.
There was a problem hiding this comment.
I don't disagree with his point about security by obscurity.
I would be more sympathetic to the "give credit to the hard-working people who have enabled you to write your code so fast" argument if it also acknowledged all the tools that express has used for free that enabled it to receive such prominence (like Node.js, npm and GitHub for hosting the project for free, Sinatra and rack from ruby since that heavily influence the design, etc).
The header is still frivolous, and there are better ways to acknowledge people who made it possible.
There was a problem hiding this comment.
I'm all for surfacing the packages we use somewhere to give ample credit (they certainly deserve it), but I don't think anyone looks at headers and says "Hey what's Express?" - so I'm okay with doing this.
|
I'm going to close this in favor of #322, which has to do its own timing. |
This adds the
X-Response-Timeheader to report how long a request takes. I also noticed theX-Powered-Byheader was reportingExpress. I debated about updating it toProbot, but it is generally considered bad practice to include this header, so I just disabled it entirely.