secure icon indicating copy to clipboard operation
secure copied to clipboard

Published 20 hours ago • verified publisher icon cak

Server header is not overridden

Open lsmith77 opened this issue 2 years ago • 4 comments

I am using the following in a FastAPI project

server = secure.Server().set("Secure")

But the result is:

server: uvicorn
server: Secure

ie. it does not override the server header but simply adds another one.

lsmith77 avatar Jun 28 '23 06:06 lsmith77

I just got the same problem. Turns out it is uvicorn that injects the server header unconditionally. You can run uvicorn with the --no-server-header option to disable this header. Ref: https://www.uvicorn.org/settings/#http

nashyeung avatar Aug 31 '23 22:08 nashyeung

In my case I fixed it now using

    uvicorn.run(
        app,
        host="0.0.0.0",
        port=8000,
        server_header=False,
    )

lsmith77 avatar Sep 06 '23 07:09 lsmith77

Thanks @lsmith77 and @nashyeung! I'll add this to the documentation.

cak avatar Apr 29 '24 09:04 cak

I'll just point out in this issue that if you use Uvicorn VIA Gunicorn (eg: as a Uvicorn-Worker), this setting is not passed so it's impossible to override, unless subclassing the worker itself. This is not a problem with Secure.py but with Uvicorn/Gunicorn combo.

Refer here -> https://github.com/encode/uvicorn/issues/1436 | https://github.com/encode/uvicorn/discussions/1435

alexmaurizio avatar Aug 13 '24 10:08 alexmaurizio