Closed DLakomy closed 1 month ago
I had issues with this before. The impl. is also not that clean. I think the right way would be, to have opt-in for error messages in the response body.
/bounty $50 to make it opt-in.
/attempt #2701
with your implementation plan/claim #2701
in the PR body to claim the bountyThank you for contributing to zio/zio-http!
Add a bounty • Share on socials
Attempt | Started (GMT+0) | Solution |
---|---|---|
🟢 @987Nabil | #3050 |
I removed the warning header on #2897, but I don't know if we need a flag or something to decide whether to include it.
If this is the case, where should such a flag be? This is my first contribution to the project, so I still need to familiarize myself with the logic and where this stuff is. 😅
Also, if we choose to make it possible to keep the warning header (via flag), I'll add a condition using the flag + remove "ZIO HTTP"
from this line https://github.com/zio/zio-http/blob/f070e41a348ab24d4ba2720da7d60b6972d2f902/zio-http/shared/src/main/scala/zio/http/Response.scala#L141
Exposing backend implementation details (as I've said, this header mentions ZIO HTTP) can be considered a security issue.
This will solve this part of the issue.
🎉🎈 @987Nabil has been awarded $50! 🎈🎊
I've noticed that the apps using ZIO HTTP send a warning header on error, containing some information about the backend implementation details (it explicitly mentions ZIO HTTP).
ScalaCLI example:
Some responses:
Exposing backend implementation details (as I've said, this header mentions ZIO HTTP) can be considered a security issue. Moreover, if I'm not mistaken, the warning header is deprecated or soon to be deprecated (https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cache-06#section-5.5).
After reading the documentation and looking for similar issues on GitHub I still don't know how to get rid of these headers.
Is there a reason why this is the default behaviour, not opt-in? Is it possible to opt-out? I think such headers shouldn't be added by default.
I understand that I'm expressing a personal opinion, not a proper technical issue; however, I thought that it's worth raising anyway, as the answer may serve as a future reference, in case someone has a similar problem.