node-red icon indicating copy to clipboard operation
node-red copied to clipboard
verified publisher icon node-red

charset=utf-8 added to Content-Type even if set manually in HTTP Response node

Open yousifa opened this issue 4 years ago • 1 comments

What are the steps to reproduce?

Node-red appends charset=utf-8 to the Content-Type header in the HTTP Response node by default. If a custom header is set, it still adds charset=utf-8 no matter what the Content-Type that is set.

What happens?

charset=utf-8 is appended to the content-type

What do you expect to happen?

I expect that the exact header I manually set to be returned with the response and not messed with. This affects endpoints being used with services that are very picky with the Content-Type (eg. Twilio)

Please tell us about your environment:

  • [ ] Node-RED version: 1.2.2

yousifa avatar Jan 27 '21 09:01 yousifa

Express, the framework we're built on top of, automatically appends the charset field and doesn't provide any way to stop it from doing that. This was in response to a vulnerability disclosure around JSON hijacking.

See https://github.com/expressjs/express/issues/3490 and the items linked to from there.

So I'm not immediately sure what we can/should do about this.

knolleary avatar Jan 27 '21 10:01 knolleary