Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Header added in before middleware is added twice #130

Open
jelhan opened this issue Nov 3, 2020 · 2 comments
Open

Header added in before middleware is added twice #130

jelhan opened this issue Nov 3, 2020 · 2 comments

Comments

@jelhan
Copy link

jelhan commented Nov 3, 2020

A header added in a before middleware is added twice to the response.

Steps to reproduce:

  1. Create a new Ember application.
  2. Install ember-cli-fastboot and fastboot-app-server.
  3. Create a FastBoot App Server, which adds a header in a before middleware and safe it as server.js. 
    const FastBootAppServer = require('fastboot-app-server');
const ExpressHTTPServer = require('fastboot-app-server/src/express-http-server');

const httpServer = new ExpressHTTPServer({
  port: 49742,
});
const app = httpServer.app;

app.use(function (req, res, next) {
  res.set('Content-Security-Policy', "default-src 'http://examples.com';");
  next();
});

let server = new FastBootAppServer({
  distPath: 'dist',
  httpServer: httpServer,
});

server.start();
  4. Start the FastBoot App Server with node server.js.
  5. Do a request against the running instance and expect the response headers: 
    $ curl -I http://localhost:49742
HTTP/1.1 200 OK
x-powered-by: Express
x-powered-by: Express
content-security-policy: default-src 'http://examples.com';
content-security-policy: default-src 'http://examples.com';
Content-Type: text/html; charset=utf-8
Content-Length: 3314
ETag: W/"cf2-rOuN5P2xOUzKctuV2vXWj7cma28"
Date: Tue, 03 Nov 2020 08:24:54 GMT
Connection: keep-alive
Keep-Alive: timeout=5

I expect Content-Security-Policy header to be only be present once. But it's present twice.

Please note that I see the same for X-Powered-By: Express header, which is added by Express automatically regardless of my usage of FastBoot App Server.

A repository with the reproduction steps applied can be found here: https://github.com/jelhan/test-fastboot-with-header
@roncodes
Copy link

+1 running into the same issue currently which is causing mozilla observatory to score our website low due to the duplication of security headers.

@ghost
Copy link

ghost commented Jun 3, 2022
edited by ghost

+1, I accidentally missed the right repo and created the same issue but in the ember-cli-fastboot repo:
ember-fastboot/ember-cli-fastboot#884

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@roncodes @jelhan