You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Many application frameworks provide the ability to remove response headers, how is this done in Grape?
I see there is stuff like version 'v1', using: :header, vendor: 'twitter', cascade: false to turn off certain headers, but I want to harden my webserver and remove them completely.
My goal is to implement the same headers that the expressJS library "helmet" uses to harden nodejs servers, but at the same time the same library removes headers for you like X-Powered-By, which in my case is added by my Passenger server, which does not provide me with the ability to remove it...
I see that many libraries provide the ability to remove headers, but I cant find the response variable where response headers are kept in order to edit it
for instance:
You can set headers with header, so header X, nil will remove it, same as in Rails. See https://github.com/ruby-grape/grape/blob/master/lib/grape/endpoint.rb#L273 where headers are returned to the rack middleware stack. That said, there's a whole set of other middleware involved in a response, and each may be altering/adding/removing headers, thus depending on how Grape is mounted removing something may not actually be removing it (because another middleware, e.g. rack-cache, would re-add it.
So the answer is "it depends" and "grape might not be the right place to do it". Do you have a running example where a header is returned that you want removed?
Many application frameworks provide the ability to remove response headers, how is this done in Grape?
I see there is stuff like
version 'v1', using: :header, vendor: 'twitter', cascade: false
to turn off certain headers, but I want to harden my webserver and remove them completely.My goal is to implement the same headers that the expressJS library "helmet" uses to harden nodejs servers, but at the same time the same library removes headers for you like
X-Powered-By
, which in my case is added by my Passenger server, which does not provide me with the ability to remove it...I see that many libraries provide the ability to remove headers, but I cant find the response variable where response headers are kept in order to edit it
for instance:
ExpressJS
Rails
The text was updated successfully, but these errors were encountered: