Hello guys,
I am using the latest version (0.20.5) without any problem, but when I try to configure (httpServerOptions) it does not work on any "expressjs" settings.
// The following property can be used to pass custom options to the Express.js
// server used by Node-RED. For a full list of available options, refer
// to http://expressjs.com/en/api.html#app.settings.table
httpServerOptions: {
"x-powered-by": false
},
// The following property can be used to verify websocket connection attempts.
// This allows, for example, the HTTP request headers to be checked to ensure
// they include valid authentication information.
Any idea where my mistake will be?
Alternatively I set up an (http response) with the same value (x-powered-by).
Thank you for your help!
Hi @adamiD
I couldn't remember how we handle this in the code, and having reviewed it, I see we only apply these options to the routes that serve the editor and its apis. They do not apply to the routes served by the HTTP nodes.
So that explains what you're seeing. Whether it should apply to the HTTP node routes is another question. Need to think about that.
A workaround would be to use a reverse proxy to do it. That tends to be more secure anyway since web servers/reverse proxies tend to be heavily security tested. NGINX or HAProxy are good and pretty efficient choices. Apache can be used as well but tends to be a bit (lot) more of a resource hog in my experience.
Hello @TotallyInformation,
I also have a preference for NGINX, until I say more, after using it, I never thought about Apache... hehehe
For the case in question I just wanted to hide the header.
Thanks for sharing,
Doug
Hello @knolleary,
Thanks for the clarification ... I thought the option affected the whole context ... I thought it was my mistake, so what is the best option to hide the header in the HTTP node routes? What is your recommendation?
I take this opportunity to thank you for the excellent work you have done.
Doug
Hi, just resurrecting this because:
-
It looks like the options are completely ignored even for the editor
I can't find any entry where the x-powered-by isn't present even though I've set that flag in settings.js, restarted NR and ctrl-f5'd the editor tab.
-
I've been looking at Node-RED security again and there are several settings that I believe would be beneficial to improve the general security of Node-RED. I think that these settings probably should be on by default though almost certainly need to be options.
- Setting the
x-powered-by
header to false
- Setting the
X-XSS-Protection
header to 1;mode=block
- Setting the
X-Frame-Options
header to SAMEORIGIN
- Setting the
Content-Security-Policy
header - this would certainly need to be controllable since the actual setting will change depending on requirements.
I'm not aware of any way to currently set these for either of the 2 ExpressJS apps that Node-RED creates.
Of course, a reverse proxy can be used to override the headers but that might not always be feasible. Or at least not necessarily feasible to make changes to the proxy.