npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@hint/hint-no-disallowed-headers

v3.1.22

Published

hint that that checks if disallowed response headers are sent

Downloads

76,436

Readme

Disallowed HTTP headers (no-disallowed-headers)

no-disallowed-headers warns against responding with certain HTTP headers.

Why is this important?

There are certain HTTP headers that should not be sent:

  1. Headers that are often set by servers, frameworks, and server-side languages (e.g.: ASP.NET, PHP), that by default have values that contain information about the technology that set them: its name, version number, etc.

Sending these types of HTTP headers:

  • does not provide any value to the user experience
  • contributes to header bloat
  • exposes information to potential attackers about the technology stack being used
  1. Uncommon or esoteric headers that have limited support, require a lot of knowledge to use correctly, and can create more problems than they solve.

    One example here is the Public-Key-Pins header. It has limited support and usage, it’s being deprecated (along with the related Public-Key-Pins-Report-Only header) and can easily create a lot of problems if not done correctly.

What does the hint check?

By default, the hint checks if responses include one of the following HTTP headers:

  • Expires
  • Host
  • P3P
  • Pragma
  • Public-Key-Pins
  • Public-Key-Pins-Report-Only
  • X-AspNet-Version
  • X-AspNetMvc-version
  • X-Frame-Options
  • X-Powered-By
  • X-Runtime
  • X-Version

or the Server header with a value that provides a lot of information and is not limited to the server name.

Examples that trigger the hint

HTTP/... 200 OK

...
Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips mod_bwlimited/1.4
X-Powered-By: PHP/5.3.28
HTTP/... 200 OK

...
Public-Key-Pins-Report-Only:
  pin-sha256="MoScTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs=";
  pin-sha256="C5HTzCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE=";
  includeSubDomains;
  report-uri="https://www.example.com/hpkp-report"

Examples that pass the hint

HTTP/... 200 OK

...
Server: apache
HTTP/... 200 OK

...

How to configure the server to pass this hint

If the headers are sent, in most cases, to make Apache stop sending them requires removing the configurations that tells Apache to add them (e.g. for the X-UA-Compatible header, that would be mean removing something such as Header set X-UA-Compatible "IE=edge"). However, if the headers are added from somewhere in the stack (e.g.: the framework level, language level such as PHP, etc.), and that cannot be changed, you can try to remove them at the Apache level, using the following:

<IfModule mod_headers.c>
    Header unset Expires
    Header unset Host
    Header unset P3P
    Header unset Pragma
    Header unset Public-Key-Pins
    Header unset Public-Key-Pins-Report-Only
    Header unset Via
    Header unset X-AspNet-Version
    Header unset X-AspNetMvc-version
    Header unset X-Frame-Options
    Header unset X-Powered-By
    Header unset X-Runtime
    Header unset X-Version
</IfModule>

When it comes to the Server header, by default, Apache does not allow removing it (the only way to do that is by using an external module). However, Apache can be configured using the ServerTokens directive to provide less information thought the Server header.

Note: The following snippet will only work in the main Apache configuration file, so don't try to include it in a .htaccess file!

# Prevent Apache from sending in the `Server` response header its
# exact version number, the description of the generic OS-type or
# information about its compiled-in modules.
#
# https://httpd.apache.org/docs/current/mod/core.html#servertokens

ServerTokens Prod

Note that:

  • The above snippets work with Apache v2.2.0+, but you need to have mod_headers enabled for them to take effect.

  • If you have access to the main Apache configuration file (usually called httpd.conf), you should add the logic in, for example, a <Directory> section in that file. This is usually the recommended way as using .htaccess files slows down Apache!

    If you don't have access to the main configuration file (quite common with hosting services), add the first snippets in a .htaccess file in the root of the web site/app.

To add or remove headers on IIS, you can use the <customHeader> element and <remove>/<add> depending on what you need.

The following snippet will remove the headers from all responses:

<configuration>
     <system.webServer>
        <httpProtocol>
             <customHeaders>
                <remove name="Expires"/>
                <remove name="Host"/>
                <remove name="P3P"/>
                <remove name="Pragma"/>
                <remove name="Public-Key-Pins"/>
                <remove name="Public-Key-Pins-Report-Only"/>
                <remove name="Via"/>
                <remove name="X-Frame-Options"/>
                <remove name="X-Powered-By"/>
                <remove name="X-Runtime"/>
                <remove name="X-Version"/>
             </customHeaders>
         </httpProtocol>
    </system.webServer>
    <system.web>
        <!-- X-AspNet-Version, only needed if running an AspNet app -->
        <httpRuntime enableVersionHeader="false" />
    </system.web>
</configuration>

To remove the header X-AspNetMvc-version, open your Global.asax file and add the following to your Application_Start event:

MvcHandler.DisableMvcResponseHeader = true;

Removing the Server header is a bit more complicated and changes depending on the version.

In IIS 10.0 you can remove it using the removeServerHeader attribute of requestFiltering:

<configuration>
     <system.webServer>
        <security>
            <requestFiltering removeServerHeader ="true" />
        </security>
    </system.webServer>
</configuration>

For previous versions of IIS (7.0-8.5) you can use the following:

<configuration>
     <system.webServer>
        <rewrite>
            <outboundRules rewriteBeforeCache="true">
                <rule name="Remove Server header">
                    <match serverVariable="RESPONSE_Server" pattern=".+" />
                    <action type="Rewrite" value="" />
                </rule>
            </outboundRules>
        </rewrite>
    </system.webServer>
</configuration>

The above snippet will use a URL rewrite rule to remove the Server header from any request that contains it.

Can the hint be configured?

Yes, you can use:

  • include to specify additional HTTP headers that should be disallowed
  • ignore to specify which of the disallowed HTTP headers should be ignored

E.g. The following hint configuration used in the .hintrc file will make the hint allow responses to be served with the Server HTTP header, but not with Custom-Header.

{
    "connector": {...},
    "formatters": [...],
    "hints": {
        "no-disallowed-headers": [ "warning", {
            "ignore": ["Server"],
            "include": ["Custom-Header"]
        }],
        ...
    },
    ...
}

How to use this hint?

This package is installed automatically by webhint:

npm install hint --save-dev

To use it, activate it via the .hintrc configuration file:

{
    "connector": {...},
    "formatters": [...],
    "hints": {
        "no-disallowed-headers": "error",
        ...
    },
    "parsers": [...],
    ...
}

Note: The recommended way of running webhint is as a devDependency of your project.