Skip to content

Directive "Header unset X-Powered-By" is not respected #183

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
GlassGruber opened this issue Mar 23, 2019 · 1 comment
Closed

Directive "Header unset X-Powered-By" is not respected #183

GlassGruber opened this issue Mar 23, 2019 · 1 comment
Labels
bug Something isn't working good first issue Good for newcomers help wanted Extra attention is needed

Comments

@GlassGruber
Copy link
Contributor

Hey there,
just as title, noting also that mod_headers.c is enabled, and it's happening on a shared hosting server where I have no access to the PHP ini.
After a couple testing and some fortunate google-fu, I was able to finally enforce it adding always to the mix

Header always unset X-Powered-By

I can't really understand why the directive it is not respected without it, also there are no redirects in the request.

In the docs I wasn't able to find much about possible side effects for this option.

So I'm wondering if it could be a sensed default to insert for this specific rule, or maybe put a notice in the comments suggesting this approach if the directive is not working.

I can make a PR if requested.

Thank you!
@GlassGruber GlassGruber changed the title unset X-Powered-By not respected Directive "unset X-Powered-By" is not respected Mar 23, 2019
@GlassGruber GlassGruber changed the title Directive "unset X-Powered-By" is not respected Directive "Header unset X-Powered-By" is not respected Mar 23, 2019
@LeoColomb
Copy link
Member

From httpd docs:

You're modifying or removing a header generated by a CGI script or by mod_proxy_fcgi, in which case the CGI scripts' headers are in the table corresponding to always and not in the default table.

So I think you're right.

I can make a PR if requested.

Sure! 😃

@LeoColomb LeoColomb added bug Something isn't working help wanted Extra attention is needed good first issue Good for newcomers labels Mar 23, 2019
GlassGruber added a commit to GlassGruber/server-configs-apache that referenced this issue Mar 23, 2019
@GlassGruber
Update x-powered-by.conf
297ee37 
as per h5bp#183, `always` can be used to ensure the directive is always applied. In this case should be a sensed default.
GlassGruber added a commit to GlassGruber/server-configs-apache that referenced this issue Mar 24, 2019
@GlassGruber
Update x-powered-by.conf
b68578a 
as per h5bp#183, `always` can be used to ensure the directive is always applied. In this case should be a sensed default. Also as found [here](https://www.tunetheweb.com/security/http-security-headers/server-header/) a good default is to use both versions since the `always` option is reported as not always working in some server configurations.
@GlassGruber GlassGruber mentioned this issue Mar 24, 2019
Merged
LeoColomb pushed a commit that referenced this issue Mar 26, 2019
@GlassGruber @LeoColomb
Always unset X-Powered-By header (#184)
1470258 
as per #183, `always` can be used to ensure the directive is always applied. In this case should be a sensed default.

Fix #183
@LeoColomb LeoColomb mentioned this issue Mar 26, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working good first issue Good for newcomers help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LeoColomb @GlassGruber