Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

X-Powered-By in Response Header even after applying helmet

See original GitHub issue

Code

app.use(helmet())
app.use(
  helmet.contentSecurityPolicy({
    useDefaults: true,
    directives: {
      "script-src": ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
      "script-src-attr": ["'self'"],
    },
  })
)

Before helmet

After helmet

Versions

Node: 14.17.0 npm: 7.16.0 helmet: 4.6.0 nodemon: 2.0.7

Anyone having a similar issue?

Issue Analytics

State:
Created 2 years ago
Reactions:1
Comments:9 (3 by maintainers)

Top GitHub Comments

1reaction

marnixhohcommented, Jul 22, 2021

@EvanHahn I have looked into this “issue” further and I think that I have found the problem… This didn’t appear for me only after upgrading to 4.6.0. It happened on 4.4.0 too. (Oops…)

In development I have the app (Next.js) running on one port and the API server on another. I then use a custom proxy to redirect any requests to the API server as if they were both running on the same port. Now it appears as if the proxy is responsible for setting the header… In production this doesn’t happen because this custom proxy is not used. (The routing of requests is done by the hosting infrastructure). Which made me believe initially that the header was a result of upgrading Helmet…

I haven’t checked the 4.6.0 in production yet, but I’m pretty convinced the header will not be included.

My apologies for not realizing this quicker. Thank you so much for your help.

0reactions

marnixhohcommented, Jul 23, 2021

@chiragshahklc it’s interesting that you are experiencing this issue even though you are not using a proxy… Are you using a framework like Next.js by any chance?