X-Powered-By in Response Header even after applying helmet
chiragshahklc opened this issue · comments
Code
app.use(helmet())
app.use(
helmet.contentSecurityPolicy({
useDefaults: true,
directives: {
"script-src": ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
"script-src-attr": ["'self'"],
},
})
)
Before helmet
After helmet
Versions
Node: 14.17.0
npm: 7.16.0
helmet: 4.6.0
nodemon: 2.0.7
Anyone having a similar issue?
I am facing the exact same issue after upgrading from 4.4.0
to 4.6.0
.
Note that I even have the following line in my code: app.disable('x-powered-by')
. (The explicit way to disable that header)
If u see both screenshots carefully before the helmet response header had x-powered-by
but after applying the helmet it's X-Powered-By
.
Check difference in text case.
I feel like it's been applied by the helmet itself mistakenly
Sorry you're running into this. Could you give me a small sample app that reproduces the problem?
@EvanHahn Hi! Thank you so much for your quick response.
I am trying to create a minimal reproducible example, but I am struggling to reproduce it. Let's say I make a get request to my api from the app the header does show up. However, when I enter the api endpoint directly into the browser, the header does NOT show up...
Do you happen to have any idea as to what is going on here?
As @chiragshahklc pointed out, the header is oddly capitalized for some reason...
I can't explain it, unfortunately. I don't think anything changed since 4.4.0.
If you have reliable reproduction steps, that'd be super helpful for me to be able to get to the bottom of this.
@EvanHahn I have looked into this "issue" further and I think that I have found the problem... This didn't appear for me only after upgrading to 4.6.0. It happened on 4.4.0 too. (Oops...)
In development I have the app (Next.js) running on one port and the API server on another. I then use a custom proxy to redirect any requests to the API server as if they were both running on the same port. Now it appears as if the proxy is responsible for setting the header... In production this doesn't happen because this custom proxy is not used. (The routing of requests is done by the hosting infrastructure). Which made me believe initially that the header was a result of upgrading Helmet...
I haven't checked the 4.6.0 in production yet, but I'm pretty convinced the header will not be included.
My apologies for not realizing this quicker. Thank you so much for your help.
I agree with @marnixhoh.
I checked it after deploying it. It doesn't show. Although, I got that on localhost even without any proxy.
But I think I am ok as long as I am not getting that on production.
Thank you so much @EvanHahn
Great. I'm going to close this issue because it sounds like it's been resolved. Let me know if that's wrong and I will reopen.
@chiragshahklc it's interesting that you are experiencing this issue even though you are not using a proxy... Are you using a framework like Next.js by any chance?