X-Powered-By in Response Header even after applying helmet

Question

X-Powered-By in Response Header even after applying helmet

chiragshahklc opened this issue 3 years ago · comments

Code

app.use(helmet())
app.use(
  helmet.contentSecurityPolicy({
    useDefaults: true,
    directives: {
      "script-src": ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
      "script-src-attr": ["'self'"],
    },
  })
)

Before helmet

After helmet

Versions

Node: 14.17.0
npm: 7.16.0
helmet: 4.6.0
nodemon: 2.0.7

Anyone having a similar issue?

Marnix Heuker of Hoek · Answer 1 · Thu Jul 22 2021 17:00:20 GMT+0800 (China Standard Time)

I am facing the exact same issue after upgrading from 4.4.0 to 4.6.0.

Note that I even have the following line in my code: app.disable('x-powered-by'). (The explicit way to disable that header)

Chirag Shah · Answer 2 · Thu Jul 22 2021 17:09:16 GMT+0800 (China Standard Time)

If u see both screenshots carefully before the helmet response header had x-powered-by but after applying the helmet it's X-Powered-By.
Check difference in text case.
I feel like it's been applied by the helmet itself mistakenly

Evan Hahn · Answer 3 · Thu Jul 22 2021 19:31:28 GMT+0800 (China Standard Time)

Sorry you're running into this. Could you give me a small sample app that reproduces the problem?

Marnix Heuker of Hoek · Answer 4 · Thu Jul 22 2021 21:01:51 GMT+0800 (China Standard Time)

@EvanHahn Hi! Thank you so much for your quick response.

I am trying to create a minimal reproducible example, but I am struggling to reproduce it. Let's say I make a get request to my api from the app the header does show up. However, when I enter the api endpoint directly into the browser, the header does NOT show up...

Do you happen to have any idea as to what is going on here?

As @chiragshahklc pointed out, the header is oddly capitalized for some reason...

Evan Hahn · Answer 5 · Thu Jul 22 2021 22:12:58 GMT+0800 (China Standard Time)

I can't explain it, unfortunately. I don't think anything changed since 4.4.0.

If you have reliable reproduction steps, that'd be super helpful for me to be able to get to the bottom of this.

Marnix Heuker of Hoek · Answer 6 · Thu Jul 22 2021 23:18:38 GMT+0800 (China Standard Time)

@EvanHahn I have looked into this "issue" further and I think that I have found the problem... This didn't appear for me only after upgrading to 4.6.0. It happened on 4.4.0 too. (Oops...)

In development I have the app (Next.js) running on one port and the API server on another. I then use a custom proxy to redirect any requests to the API server as if they were both running on the same port. Now it appears as if the proxy is responsible for setting the header... In production this doesn't happen because this custom proxy is not used. (The routing of requests is done by the hosting infrastructure). Which made me believe initially that the header was a result of upgrading Helmet...

I haven't checked the 4.6.0 in production yet, but I'm pretty convinced the header will not be included.

My apologies for not realizing this quicker. Thank you so much for your help.

Chirag Shah · Answer 7 · Fri Jul 23 2021 00:45:14 GMT+0800 (China Standard Time)

I agree with @marnixhoh.
I checked it after deploying it. It doesn't show. Although, I got that on localhost even without any proxy.
But I think I am ok as long as I am not getting that on production.

Thank you so much @EvanHahn

Evan Hahn · Answer 8 · Fri Jul 23 2021 04:20:29 GMT+0800 (China Standard Time)

Great. I'm going to close this issue because it sounds like it's been resolved. Let me know if that's wrong and I will reopen.

Marnix Heuker of Hoek · Answer 9 · Fri Jul 23 2021 15:08:22 GMT+0800 (China Standard Time)

@chiragshahklc it's interesting that you are experiencing this issue even though you are not using a proxy... Are you using a framework like Next.js by any chance?