Open zacharypuulsedev opened 1 year ago
Per OWASP recommendations, I'd like to remove the "X-Powered-By" header.
Unless there is another option to remove a header with a Cloud Run instance behind a GCP API Gateway, the following is what I'd envision:
According to the shelf documentation, this is doable by passing null for the header:
null
Future<HttpServer> serve( Handler handler, Object address, int port, {SecurityContext? securityContext, int? backlog, bool shared = false, String? poweredByHeader = 'Dart with package:shelf'} )
In serve.dart there is a call to run.
serve.dart
run
Within run, shelf_io.serve is called, which could be parameterized to pass null to the poweredByHeader param.
poweredByHeader
https://github.com/GoogleCloudPlatform/functions-framework-dart/blob/main/functions_framework/lib/serve.dart
PR welcome!
kevmoo
commented
1 year ago kevmoo
commented
1 year ago
Per OWASP recommendations, I'd like to remove the "X-Powered-By" header.
Unless there is another option to remove a header with a Cloud Run instance behind a GCP API Gateway, the following is what I'd envision:
According to the shelf documentation, this is doable by passing
nullfor the header:In
serve.dartthere is a call torun.Within run, shelf_io.serve is called, which could be parameterized to pass
nullto thepoweredByHeaderparam.https://github.com/GoogleCloudPlatform/functions-framework-dart/blob/main/functions_framework/lib/serve.dart