Closed
Description
It's general good security practice to hide any unnecessary information from clients. Next has the poweredByHeader which hides the X-Powered-By header, we should use the same config to hide the X-OpenNext header from server response.
See: https://nextjs.org/docs/app/api-reference/next-config-js/poweredByHeader
Steps
- Grab the next config from, eg:
import { NextConfig } from "../adapters/config"; - Use the config to conditional set header here: https://github.com/opennextjs/opennextjs-aws/blob/main/packages/open-next/src/core/routing/util.ts#L325
- Update documentation, eg: https://opennext.js.org/aws/config, to include this config option (https://github.com/opennextjs/docs/blob/main/pages/aws/config.mdx)
Context:
We used to output the OpenNext version in our headers but a discord member brought up security concerns by exposing the actual version, we since hide it behind a debug flag but never hid the exposure of opennext in the headers.
export function addOpenNextHeader(headers: OutgoingHttpHeaders) {
headers["X-OpenNext"] = "1";
if (globalThis.openNextDebug) {
headers["X-OpenNext-Version"] = globalThis.openNextVersion;
headers["X-OpenNext-RequestId"] = globalThis.__als.getStore()?.requestId;
}
}
This was brought up by another user on discord.