Security News
Fluent Assertions Faces Backlash After Abandoning Open Source Licensing
Fluent Assertions is facing backlash after dropping the Apache license for a commercial model, leaving users blindsided and questioning contributor rights.
@hint/hint-no-disallowed-headers
Advanced tools
hint that that checks if disallowed response headers are sent
no-disallowed-headers
)no-disallowed-headers
warns against responding with certain HTTP
headers.
There are certain HTTP headers that should not be sent:
Sending these types of HTTP headers:
Uncommon or esoteric headers that have limited support, require a lot of knowledge to use correctly, and can create more problems than they solve.
One example here is the Public-Key-Pins
header. It has limited
support and usage, it’s being deprecated (along with the related
Public-Key-Pins-Report-Only
header) and can easily create a lot
of problems if not done correctly.
By default, the hint checks if responses include one of the following HTTP headers:
Expires
Host
P3P
Pragma
Public-Key-Pins
Public-Key-Pins-Report-Only
X-AspNet-Version
X-AspNetMvc-version
X-Frame-Options
X-Powered-By
X-Runtime
X-Version
or the Server
header with a value that provides a lot of information
and is not limited to the server name.
HTTP/... 200 OK
...
Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips mod_bwlimited/1.4
X-Powered-By: PHP/5.3.28
HTTP/... 200 OK
...
Public-Key-Pins-Report-Only:
pin-sha256="MoScTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs=";
pin-sha256="C5HTzCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE=";
includeSubDomains;
report-uri="https://www.example.com/hpkp-report"
HTTP/... 200 OK
...
Server: apache
HTTP/... 200 OK
...
If the headers are sent, in most cases, to make Apache stop sending
them requires removing the configurations that tells Apache to add
them (e.g. for the X-UA-Compatible
header, that would be mean
removing something such as Header set X-UA-Compatible "IE=edge"
).
However, if the headers are added from somewhere in the stack (e.g.:
the framework level, language level such as PHP, etc.), and that cannot
be changed, you can try to remove them at the Apache
level, using
the following:
<IfModule mod_headers.c>
Header unset Expires
Header unset Host
Header unset P3P
Header unset Pragma
Header unset Public-Key-Pins
Header unset Public-Key-Pins-Report-Only
Header unset Via
Header unset X-AspNet-Version
Header unset X-AspNetMvc-version
Header unset X-Frame-Options
Header unset X-Powered-By
Header unset X-Runtime
Header unset X-Version
</IfModule>
When it comes to the Server
header, by default, Apache does not
allow removing it (the only way to do that is
by using an external module). However, Apache can be configured using
the ServerTokens
directive to provide less
information thought the Server
header.
Note: The following snippet will only work in the main Apache
configuration file, so don't try to include it in a .htaccess
file!
# Prevent Apache from sending in the `Server` response header its
# exact version number, the description of the generic OS-type or
# information about its compiled-in modules.
#
# https://httpd.apache.org/docs/current/mod/core.html#servertokens
ServerTokens Prod
Note that:
The above snippets work with Apache v2.2.0+
, but you need to have
mod_headers
enabled
for them to take effect.
If you have access to the main Apache configuration file (usually called httpd.conf
), you should add
the logic in, for example, a <Directory>
section in that file. This is usually the recommended way as
using .htaccess
files slows down Apache!
If you don't have access to the main configuration file (quite
common with hosting services), add the first snippets in a
.htaccess
file in the root of the web site/app.
To add or remove headers on IIS, you can use the
<customHeader> element
and <remove>/<add>
depending on what you need.
The following snippet will remove the headers from all responses:
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="Expires"/>
<remove name="Host"/>
<remove name="P3P"/>
<remove name="Pragma"/>
<remove name="Public-Key-Pins"/>
<remove name="Public-Key-Pins-Report-Only"/>
<remove name="Via"/>
<remove name="X-Frame-Options"/>
<remove name="X-Powered-By"/>
<remove name="X-Runtime"/>
<remove name="X-Version"/>
</customHeaders>
</httpProtocol>
</system.webServer>
<system.web>
<!-- X-AspNet-Version, only needed if running an AspNet app -->
<httpRuntime enableVersionHeader="false" />
</system.web>
</configuration>
To remove the header X-AspNetMvc-version
, open your Global.asax
file and add the following to your Application_Start
event:
MvcHandler.DisableMvcResponseHeader = true;
Removing the Server
header is a bit more complicated and changes
depending on the version.
In IIS 10.0 you can remove it using the removeServerHeader
attribute
of requestFiltering
:
<configuration>
<system.webServer>
<security>
<requestFiltering removeServerHeader ="true" />
</security>
</system.webServer>
</configuration>
For previous versions of IIS (7.0-8.5) you can use the following:
<configuration>
<system.webServer>
<rewrite>
<outboundRules rewriteBeforeCache="true">
<rule name="Remove Server header">
<match serverVariable="RESPONSE_Server" pattern=".+" />
<action type="Rewrite" value="" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>
The above snippet will use a URL rewrite
rule to
remove the Server
header from any request that contains it.
Yes, you can use:
include
to specify additional HTTP headers that should
be disallowedignore
to specify which of the disallowed HTTP headers
should be ignoredE.g. The following hint configuration used in the .hintrc
file will make the hint allow responses to be served with the Server
HTTP header, but not with Custom-Header
.
{
"connector": {...},
"formatters": [...],
"hints": {
"no-disallowed-headers": [ "warning", {
"ignore": ["Server"],
"include": ["Custom-Header"]
}],
...
},
...
}
This package is installed automatically by webhint:
npm install hint --save-dev
To use it, activate it via the .hintrc
configuration file:
{
"connector": {...},
"formatters": [...],
"hints": {
"no-disallowed-headers": "error",
...
},
"parsers": [...],
...
}
Note: The recommended way of running webhint is as a devDependency
of
your project.
FAQs
hint that that checks if disallowed response headers are sent
The npm package @hint/hint-no-disallowed-headers receives a total of 14,918 weekly downloads. As such, @hint/hint-no-disallowed-headers popularity was classified as popular.
We found that @hint/hint-no-disallowed-headers demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Fluent Assertions is facing backlash after dropping the Apache license for a commercial model, leaving users blindsided and questioning contributor rights.
Research
Security News
Socket researchers uncover the risks of a malicious Python package targeting Discord developers.
Security News
The UK is proposing a bold ban on ransomware payments by public entities to disrupt cybercrime, protect critical services, and lead global cybersecurity efforts.