fastapi-cli icon indicating copy to clipboard operation
fastapi-cli copied to clipboard
verified publisher icon tiangolo

Add server header option to dev and run commands

Open smarcelloc opened this issue 8 months ago • 0 comments

Security Enhancement: Server Header Control in FastAPI CLI

Problem Context

Uvicorn, by default, includes the "Server: uvicorn" header in all HTTP responses. This information represents a security risk because:

  1. It exposes technical details about the infrastructure (Uvicorn server => Python)
  2. It makes it easier for potential attackers to identify the technology being used
  3. It can be used to target specific attacks knowing the underlying technology

Before

image

Now

image

Solution Implemented

Added a new --server-header option to the fastapi dev and fastapi run commands, which:

  • Is disabled by default (False), removing the "Server: uvicorn" header from responses
  • When explicitly enabled (--server-header), maintains the original behavior

How to Use

To maintain the original behavior (show the server header):

fastapi dev --server-header
# or
fastapi run --server-header

smarcelloc avatar May 04 '25 14:05 smarcelloc