webhintio / hint

💡 A hinting engine for the web

Home Page:https://webhint.io/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Remove or reduce severity of reports for `Via` HTTP Header

antross opened this issue · comments

Taking the liberty to comment on this issue, especially regarding the Via HTTP header. More often that not, it appears that this header is added by proxies, which makes it difficult or impossible to fix. For instance, Google Cloud Load Balancing adds Via: 1.1 google to incoming requests and responses. Any CDN sitting behind GCLB, such as Sanity’s, will display this header.

The article linked in the original message from this issue also mentions this. Although it does say it’s most likely safe to remove (which I’m not arguing here), it also states that proxies have to set it up, and most people don’t have control over their proxy.

More debatable perhaps is Via, which is required (by RFC7230) to be added to the request by any proxy through which it passes to identify the proxy. This can be the proxy’s hostname, but is more likely to be a generic identifier like “vegur”, “varnish”, or “squid”. Removing (or not setting) this header on a request can cause proxy forwarding loops. However, interestingly it is also copied into the response on the way back to the browser, and here it's just informational and no browsers do anything with it, so it’s reasonably safe to get rid of it if you want to.

I was wondering if you’d be considering dropping the Via warning.

Originally posted by @KittyGiraudel in #1096 (comment)

Thanks for bringing this up @KittyGiraudel. We have made prior changes to remove or reduce the severity of reports that are difficult to act upon if the impact is minor (e.g., most header-based reports in localhost development environments are now ignored). This seems like another case worth considering.

@molant @hxlnt what do you think?

I can't remember why Via is not recommended so I'm inclined to remove it or revisit the severity if we find up to date information about possible issues with it.

From what I gathered from the repository activity, Via was discussed as part of #1096 (comment) and just added with a bunch of other headers. I don’t think too much thought went into that header in particular.

Thanks for the link @KittyGiraudel !

From the referenced article at the top of the issue:

More debatable perhaps is Via, which is required (by RFC7230) to be added to the request by any proxy through which it passes to identify the proxy. This can be the proxy’s hostname, but is more likely to be a generic identifier like “vegur”, “varnish”, or “squid”. Removing (or not setting) this header on a request can cause proxy forwarding loops. However, interestingly it is also copied into the response on the way back to the browser, and here it's just informational and no browsers do anything with it, so it’s reasonably safe to get rid of it if you want to.

I think it's reasonable to remove it from the hint.

@captainbrosset, you were part of the original discussion. What do you think?

I don’t think too much thought went into that header in particular.

Correct. We were mostly following the article's recommendations at the time, and I fear the nuance about proxies using it got lost in the way.

So, I'm fine removing the warning for Via.