Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Consider providing an option to disable the "x-powered-by" header
See original GitHub issueAffected package/version: apollo-server@2.10.1
Issue description
When using apollo-server (without explicitly calling server.applyMiddleware()), the out-of-box configuration defaults internally to apollo-server-express.
Responses from this default server include the following response header:
X-Powered-By: Express
As per Express Production Best Practices: Security, consider disabling this header to avoid unnecessary disclosure to potential attackers that the server is running Express.
Alternatively, consider providing an option in the ApolloServer constructor to allow developers to opt into, e.g.
const server = new ApolloServer({
...opts,
disable: 'x-powered-by'
});
The presence of this header is commonly flagged by security scanning tools such as Netsparker.
Steps to reproduce
Assume NODE_ENV=production (playground disabled).
Server setup
const { ApolloServer } = require('apollo-server');
const server = new ApolloServer({ ...opts });
(async () => {
const { url } = await server.listen()
console.log(`🚀 Server ready at ${url}`);
})()
Request
GET / HTTP/1.1
Host: localhost:4000
Accept: */*
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
Connection: Keep-Alive
Response
HTTP/1.1 500 Internal Server Error
X-Powered-By: Express
Content-Type: application/json
Access-Control-Allow-Origin: *
Note the presence of the x-powered-by header in the response.
Additional notes
It is possible to disable the header when using apollo-server-express directly, e.g.
const express = require('express');
const { ApolloServer } = require('apollo-server-express');
const server = new ApolloServer({ ...opts });
const app = express();
app.disable('x-powered-by'); // <- ** HEADER DISABLED HERE **
server.applyMiddleware({ app });
app.listen({ port: 4000 }, () =>
console.log(`🚀 Server ready at http://localhost:4000${server.graphqlPath}`)
);
However developers following the Getting Started guide, which uses code similar to the reproduction above, should be set up for success by defaulting to a server configuration that adheres to Express best practices for security.
Issue Analytics
- State:
- Created 4 years ago
- Comments:11 (6 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@andrewmcgivery I agree with the idea generally, but introducing those middleware, which might be carefully placed in existing
app’s middleware chain, would be a breaking change for some deployments. Additionally, these might be more restrictive than are desired by some!As noted above: in a not-too-distant version of Apollo Server, this functionality will all live in an HTTP-specific transport in future versions. We plan on providing a production best-practice / pre-flight guide to supplement that pattern, and including
helmetin there seems reasonable, to me!https://github.com/apollographql/apollo-server/pull/3821