functions-framework-dart icon indicating copy to clipboard operation
functions-framework-dart copied to clipboard
verified publisher icon GoogleCloudPlatform

Allow Configuring "X-Powered-By" of underlying shelf server

Open zacharypuulsedev opened this issue 2 years ago • 1 comments

Per OWASP recommendations, I'd like to remove the "X-Powered-By" header.

Unless there is another option to remove a header with a Cloud Run instance behind a GCP API Gateway, the following is what I'd envision:

According to the shelf documentation, this is doable by passing null for the header:

Future<HttpServer> serve(
Handler handler,
Object address,
int port,
{SecurityContext? securityContext,
int? backlog,
bool shared = false,
String? poweredByHeader = 'Dart with package:shelf'}
)

In serve.dart there is a call to run.

Within run, shelf_io.serve is called, which could be parameterized to pass null to the poweredByHeader param.

https://github.com/GoogleCloudPlatform/functions-framework-dart/blob/main/functions_framework/lib/serve.dart

zacharypuulsedev avatar Apr 29 '23 01:04 zacharypuulsedev

PR welcome!

kevmoo avatar Apr 29 '23 02:04 kevmoo