lura icon indicating copy to clipboard operation
lura copied to clipboard

Published 20 hours ago verified publisher icon luraproject

Possibility to remove x-krakend headers from response

Open cedricjimenezst opened this issue 4 years ago • 12 comments

Is your feature request related to a problem? Please describe. For security reason i would like to hide the x-krakend and x-krakend-completed headers from the responses, in order none knows that i use krakend and the version.

Describe the solution you'd like A boolean in the config hide_krakend_headers

Describe alternatives you've considered Maybe a plugin to remove these headers but i didn"t find. I tried with martian but did'nt figure out how to do it.

Additional context image

cedricjimenezst avatar Jan 07 '21 09:01 cedricjimenezst

+1

samail avatar Feb 24 '21 08:02 samail

+1

Savellia avatar Feb 24 '21 09:02 Savellia

I think you can add nginx as reverse proxy krakend.

ramadhia avatar Mar 03 '21 12:03 ramadhia

I'd like to use this feature as well. It sounded easy enough to try to create a PR for this. After reviewing the code, it seems like the methods that set these headers only have easy access to the EndpointConfig whereas the suggested config flag would (I'm assuming) preferably reside in the ServiceConfig. It looks like there would be quite some forwarding necessary to get the flag to where it's needed. Therefore, I'd like to ask if you're interested in a PR at all and secondly what would be the preferred way from an architecture standpoint to bridge this gap and to make service-level configuration accessible.

dschanoeh avatar Mar 14 '21 16:03 dschanoeh

+1

Is your feature request related to a problem? Please describe. For security reason i would like to hide the x-krakend and x-krakend-completed headers from the responses, in order none knows that i use krakend and the version.

Describe the solution you'd like A boolean in the config hide_krakend_headers

Describe alternatives you've considered Maybe a plugin to remove these headers but i didn"t find. I tried with martian but did'nt figure out how to do it.

Additional context image

+1

krishnarajvr avatar Mar 20 '21 01:03 krishnarajvr

Started using Krakend. Very easy to integrate. This is one of the features I am looking for.

krishnarajvr avatar Mar 20 '21 01:03 krishnarajvr

If you're building the binary yourself, you can remove (basically rename) the KrakenD headers by overriding those values by passing in LDFLAGS in the build command.

go build \
  -ldflags="-X github.com/devopsfaith/krakend/core.KrakendVersion=1.0 \
  -X github.com/devopsfaith/krakend/core.KrakendHeaderName=X-API-Gateway \
  -X github.com/devopsfaith/krakend/transport/http/server.CompleteResponseHeaderName=X-API-Gateway-Completed" \
  -o krakend ./cmd/krakend-ce

But, the header X-Krakend would not be renamed because that is defined with a const. If it were var, it can be modified via the LDFLAGS. @kpacha can we change that to var to enable developers to rename the header during build?

ifaisalalam avatar Apr 04 '21 11:04 ifaisalalam

+1

CryptoZifter avatar Apr 23 '21 17:04 CryptoZifter

Wouldn't it make more sense to have the info in the Server response header? Eg: Server: kragend/version

int3rlop3r avatar May 15 '21 11:05 int3rlop3r

+1

delameter avatar Dec 06 '21 16:12 delameter

This headers is an advertising with low efficiency but great help for the hacker. +1 for replacing with Server: krakend

sokil avatar Apr 21 '22 20:04 sokil

+1

Zamony avatar May 21 '22 09:05 Zamony

+1

joepour avatar Oct 20 '22 05:10 joepour

+1

shariqmus avatar Oct 31 '22 13:10 shariqmus

This issue was marked as resolved a long time ago and now has been automatically locked as there has not been any recent activity after it. You can still open a new issue and reference this link.

github-actions[bot] avatar Feb 07 '23 01:02 github-actions[bot]