Skip to content

apollo-server: Disable "x-powered-by" header#3821

Merged
abernix merged 2 commits into
apollographql:release-2.12.0from
pauloedurezende:feature/disable-selected-headers
Mar 10, 2020
Merged

apollo-server: Disable "x-powered-by" header#3821
abernix merged 2 commits into
apollographql:release-2.12.0from
pauloedurezende:feature/disable-selected-headers

Conversation

@pauloedurezende

@pauloedurezende pauloedurezende commented Feb 23, 2020

Copy link
Copy Markdown
Contributor

@andrewmcgivery

andrewmcgivery commented Feb 24, 2020
edited
Loading

Copy link
Copy Markdown
Contributor

Just curious if this should be more discussed per my comment in #3812 instead of just rushing in a root level property.

More specifically, would it be useful to be able to both add and remove headers through something like this instead of just disabling headers.

Maybe something like this?

headers: {
   add: [{'X-Content-Type-Options', 'nosniff'}]
   remove: ['x-powered-by']
}

@abernix

abernix commented Feb 24, 2020

Copy link
Copy Markdown
Member

I don't think a top-level attribute to the ApolloServer class is the right way to achieve this (nor do I think disable as a term provides near enough clarity as to what that option would be meant to achieve).

While it's not currently the case, the ApolloServerCore class is meant to be as HTTP-agnostic as possible. Future versions of Apollo Server will make this even more strict to ensure we don't conflate transport concerns with GraphQL server functionality.

I do think that the ability to add headers is a great option for the transport, but that seems it should be accomplished in a transport-specific way on the HTTP transport which #3576 introduced and that is part of the larger #3184 work in #2360. While it might be tempting to open a PR to that PR, I wouldn't suggest that just yet until we stabilize some of the 3.0 work, and most notably that transport.

How about changing this PR to resolve exactly what #3812 reported? Specifically, that means disabling the default Express header when using apollo-server (not any of other integrations) by adding app.disable('x-powered-by'); below this line:

apollo-server/packages/apollo-server/src/index.ts

Lines 98 to 99 in 30b3066

const app = express();

Thoguhts?

@abernix abernix mentioned this pull request Feb 24, 2020
Closed
@pauloedurezende

pauloedurezende commented Feb 24, 2020

Copy link
Copy Markdown
Contributor Author

Guys, thanks to review this PR 😄

It ended up being my fault to pay more attention to the proposed alternative than to actually solve the specific problem, even more, focused only on one server, in this case, Express. I will make the necessary changes to be able to deliver the correction of the proposed problem... 😉

@abernix abernix changed the title [FEATURE] - Disable Defined Headers apollo-server: Disable "x-powered-by" header Feb 25, 2020
@abernix abernix changed the base branch from master to release-2.12.0 March 10, 2020 11:06
@abernix abernix added this to the Release 2.12.0 milestone Mar 10, 2020
@abernix abernix merged commit 6597e39 into apollographql:release-2.12.0 Mar 10, 2020
@pauloedurezende pauloedurezende deleted the feature/disable-selected-headers branch March 10, 2020 17:30
@github-actions github-actions Bot locked as resolved and limited conversation to collaborators Apr 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@abernix abernix abernix approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

Release 2.12.0

Development

Successfully merging this pull request may close these issues.

3 participants

@pauloedurezende @andrewmcgivery @abernix