grape icon indicating copy to clipboard operation
grape copied to clipboard

Published 20 hours ago verified publisher icon ruby-grape

How do I remove response headers?

Open alilland opened this issue 3 years ago • 1 comments

Many application frameworks provide the ability to remove response headers, how is this done in Grape?

I see there is stuff like version 'v1', using: :header, vendor: 'twitter', cascade: false to turn off certain headers, but I want to harden my webserver and remove them completely.

My goal is to implement the same headers that the expressJS library "helmet" uses to harden nodejs servers, but at the same time the same library removes headers for you like X-Powered-By, which in my case is added by my Passenger server, which does not provide me with the ability to remove it...

< Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
< ETag: W/"3e-DqINi7yil7BpHYD6XuyvL1LYGGo"
< Expect-CT: max-age=0
< Referrer-Policy: no-referrer
< Strict-Transport-Security: max-age=15552000; includeSubDomains
< Vary: Accept-Encoding
< X-Content-Type-Options: nosniff
< X-DNS-Prefetch-Control: off
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-XSS-Protection: 0

I see that many libraries provide the ability to remove headers, but I cant find the response variable where response headers are kept in order to edit it for instance:

ExpressJS
app.use(function (req, res, next) {
  res.header('Pragma', 'no-cache');
  res.removeHeader('Pragma');
  next();
});
Rails
response.headers['Connection'] = 'Closed'
remove_keys = %w(X-Runtime Cache-Control Server Etag Set-Cookie)
response.headers.delete_if{|key| remove_keys.include? key}

alilland avatar Jun 15 '22 16:06 alilland

You can set headers with header, so header X, nil will remove it, same as in Rails. See https://github.com/ruby-grape/grape/blob/master/lib/grape/endpoint.rb#L273 where headers are returned to the rack middleware stack. That said, there's a whole set of other middleware involved in a response, and each may be altering/adding/removing headers, thus depending on how Grape is mounted removing something may not actually be removing it (because another middleware, e.g. rack-cache, would re-add it.

So the answer is "it depends" and "grape might not be the right place to do it". Do you have a running example where a header is returned that you want removed?

dblock avatar Jun 15 '22 22:06 dblock