New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can't remove X-Powered-By header #20344

Closed
ghost opened this Issue Oct 28, 2016 · 6 comments

Comments

Projects
None yet
3 participants
@ghost
Copy link

ghost commented Oct 28, 2016

Call $response->headers->remove('X-Powered-By') doesn't remove this header. Must fallback to header_remove('x-powered-by').

@ben29

This comment has been minimized.

Copy link

ben29 commented Oct 30, 2016

why not remove by apache/nginx config? it's better to do it...

Header unset "X-Powered-By"

@ghost

This comment has been minimized.

Copy link
Author

ghost commented Oct 30, 2016

why not remove by apache/nginx config? it's better to do it...

Hi, because I cannot apply any logic to it, and feel uncomfy setting it in such off-code place - if I can at all.

I can imagine this issue is very minor and not harmful (but don't have to be).
But why this function for seemingly simple task brings another case to the table:

  1. removing header that PHP is able to remove
  2. removing header that PHP is not able to remove
  3. removing header that PHP is able to remove but Symfony doesn't handle that.
@ben29

This comment has been minimized.

Copy link

ben29 commented Oct 30, 2016

set it by .htaccess.

@Tobion

This comment has been minimized.

Copy link
Member

Tobion commented Nov 1, 2016

Instead of removing the header afterwards, you should disable it being set at all: http://php.net/manual/en/ini.core.php#ini.expose-php

@stof

This comment has been minimized.

Copy link
Member

stof commented Nov 2, 2016

$response->headers->remove('X-Powered-By') does not remove the header, because the header is not part of the response object, given that it is not set by the Symfony application but by PHP itself.

Making this method call the header_remove function directly would break the encapsulation of the Response in the component, which would cause more harm.
The valid solution for your problem is indeed to forbid PHP to add this header in the first place, as explained by @Tobion.

And if you don't have access to your change your php.ini (and your ops team does not accept to use a more secure config), you can call header_remove('x-powered-by') in your code to workaround the issue (in the waiting for changing to a host allowing you to have a secure config)

@Tobion Tobion closed this Nov 2, 2016

@ghost

This comment has been minimized.

Copy link
Author

ghost commented Nov 4, 2016

Thanks. Perhaps one would expect such great explanation in API documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment