search

ember-fastboot / fastboot-app-server

A production-ready app server for running Ember FastBoot apps
140 stars 72 forks source link

Header added in before middleware is added twice #130

Open jelhan opened 3 years ago

jelhan commented 3 years ago

A header added in a before middleware is added twice to the response.

Steps to reproduce:

  1. Create a new Ember application.
  2. Install ember-cli-fastboot and fastboot-app-server.

  3. Create a FastBoot App Server, which adds a header in a before middleware and safe it as server.js.

    const FastBootAppServer = require('fastboot-app-server');
const ExpressHTTPServer = require('fastboot-app-server/src/express-http-server');

const httpServer = new ExpressHTTPServer({
  port: 49742,
});
const app = httpServer.app;

app.use(function (req, res, next) {
  res.set('Content-Security-Policy', "default-src 'http://examples.com';");
  next();
});

let server = new FastBootAppServer({
  distPath: 'dist',
  httpServer: httpServer,
});

server.start();
  4. Start the FastBoot App Server with node server.js.
  5. Do a request against the running instance and expect the response headers: 
    $ curl -I http://localhost:49742
HTTP/1.1 200 OK
x-powered-by: Express
x-powered-by: Express
content-security-policy: default-src 'http://examples.com';
content-security-policy: default-src 'http://examples.com';
Content-Type: text/html; charset=utf-8
Content-Length: 3314
ETag: W/"cf2-rOuN5P2xOUzKctuV2vXWj7cma28"
Date: Tue, 03 Nov 2020 08:24:54 GMT
Connection: keep-alive
Keep-Alive: timeout=5

I expect Content-Security-Policy header to be only be present once. But it's present twice.

Please note that I see the same for X-Powered-By: Express header, which is added by Express automatically regardless of my usage of FastBoot App Server.

A repository with the reproduction steps applied can be found here: https://github.com/jelhan/test-fastboot-with-header

roncodes commented 3 years ago

+1 running into the same issue currently which is causing mozilla observatory to score our website low due to the duplication of security headers.

ghost commented 2 years ago

+1, I accidentally missed the right repo and created the same issue but in the ember-cli-fastboot repo: https://github.com/ember-fastboot/ember-cli-fastboot/issues/884