Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can't remove X-Powered-By header #20344

Closed
ghost opened this issue Oct 28, 2016 · 6 comments
Closed

Can't remove X-Powered-By header #20344

ghost opened this issue Oct 28, 2016 · 6 comments

Comments

@ghost
Copy link

@ghost ghost commented Oct 28, 2016

Call $response->headers->remove('X-Powered-By') doesn't remove this header. Must fallback to header_remove('x-powered-by').

@ben29
Copy link
Contributor

@ben29 ben29 commented Oct 30, 2016

why not remove by apache/nginx config? it's better to do it...

Header unset "X-Powered-By"

@ghost
Copy link
Author

@ghost ghost commented Oct 30, 2016

why not remove by apache/nginx config? it's better to do it...

Hi, because I cannot apply any logic to it, and feel uncomfy setting it in such off-code place - if I can at all.

I can imagine this issue is very minor and not harmful (but don't have to be).
But why this function for seemingly simple task brings another case to the table:

  1. removing header that PHP is able to remove
  2. removing header that PHP is not able to remove
  3. removing header that PHP is able to remove but Symfony doesn't handle that.
@ben29
Copy link
Contributor

@ben29 ben29 commented Oct 30, 2016

set it by .htaccess.

@Tobion
Copy link
Member

@Tobion Tobion commented Nov 1, 2016

Instead of removing the header afterwards, you should disable it being set at all: http://php.net/manual/en/ini.core.php#ini.expose-php

@stof
Copy link
Member

@stof stof commented Nov 2, 2016

$response->headers->remove('X-Powered-By') does not remove the header, because the header is not part of the response object, given that it is not set by the Symfony application but by PHP itself.

Making this method call the header_remove function directly would break the encapsulation of the Response in the component, which would cause more harm.
The valid solution for your problem is indeed to forbid PHP to add this header in the first place, as explained by @Tobion.

And if you don't have access to your change your php.ini (and your ops team does not accept to use a more secure config), you can call header_remove('x-powered-by') in your code to workaround the issue (in the waiting for changing to a host allowing you to have a secure config)

@Tobion Tobion closed this Nov 2, 2016
@ghost
Copy link
Author

@ghost ghost commented Nov 4, 2016

Thanks. Perhaps one would expect such great explanation in API documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants