Skip to content

Allow Configuring "X-Powered-By" of underlying shelf server #388

New issue
New issue
Open
Open
Allow Configuring "X-Powered-By" of underlying shelf server#388
Labels
kind/enhancementNew feature or request
@zacharypuulsedev

Description

@zacharypuulsedev
zacharypuulsedev
opened on Apr 29, 2023

Per OWASP recommendations, I'd like to remove the "X-Powered-By" header.

Unless there is another option to remove a header with a Cloud Run instance behind a GCP API Gateway, the following is what I'd envision:

According to the shelf documentation, this is doable by passing null for the header:

Future<HttpServer> serve(
Handler handler,
Object address,
int port,
{SecurityContext? securityContext,
int? backlog,
bool shared = false,
String? poweredByHeader = 'Dart with package:shelf'}
)

In serve.dart there is a call to run.

Within run, shelf_io.serve is called, which could be parameterized to pass null to the poweredByHeader param.

https://github.com/GoogleCloudPlatform/functions-framework-dart/blob/main/functions_framework/lib/serve.dart

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions