X-Powered-By GET /favicon.ico about helmet HOT 13 CLOSED

Are you saying you told express to not include the x-powered-by header and it's being included anyway because of a double request?

On Jun 23, 2014, at 11:47 PM, panpansh [email protected] wrote:

Because I'm using chrome, this browser want to get the favicon.ico by a second GET. And this GET header containing X-Powered-By: Express.

—
Reply to this email directly or view it on GitHub.

from helmet.

Sorry for my bad english it's better by exemple :)

Chrome pointed to http://localhost:3000

RESULT :

http:/localhost:3000/ :

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache
Connection: keep-alive
Content-Length: 598
Content-Type: text/html; charset=utf-8
Date: Tue, 24 Jun 2014 15:52:04 GMT
ETag: "2143792699"
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-FRAME-OPTIONS: DENY
X-XSS-Protection: 1; mode=block

http://localhost:3000/favicon.ico :

HTTP/1.1 200 OK
Cache-Control: public, max-age=86400
Content-Length: 1406
Content-Type: image/x-icon
Date: Mon, 23 Jun 2014 23:19:45 GMT
ETag: "33e3ea7fc9c08d2e72730482906a676c"
X-Powered-By: Express

from helmet.

Can you tell me how you have helmet configured?

On Jun 24, 2014, at 8:57 AM, panpansh [email protected] wrote:

Sorry for my bad english it's better by exemple :)

http:/localhost:3000/ result :

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache
Connection: keep-alive
Content-Length: 598
Content-Type: text/html; charset=utf-8
Date: Tue, 24 Jun 2014 15:52:04 GMT
ETag: "2143792699"
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-FRAME-OPTIONS: DENY
X-XSS-Protection: 1; mode=block

http://localhost:3000/favicon.ico result :

HTTP/1.1 200 OK
Cache-Control: public, max-age=86400
Content-Length: 1406
Content-Type: image/x-icon
Date: Mon, 23 Jun 2014 23:19:45 GMT
ETag: "33e3ea7fc9c08d2e72730482906a676c"
X-Powered-By: Express

—
Reply to this email directly or view it on GitHub.

from helmet.

by default : app.use(helmet.defaults());

from helmet.

I'd imagine that you're including the favicon middleware before Helmet. You probably have something that looks like this:

app.use(faviconMiddleware())
app.use(helmet.defaults())

To fix this, you'll want to switch the order:

app.use(helmet.defaults())
app.use(faviconMiddleware())

Is that correct?

Alternatively, you can do this for Express (anywhere):

app.disable('x-powered-by')

from helmet.

That is my order same than your fix :

var helmet = require('helmet');
...
var app = express();
app.use(helmet.defaults());
...
app.use(favicon());

Else, after that I want to use all functionalities of your middleware : don't wan't to use the app.disable();

Using httpie tool or telnet I have no problem with that because 1(one only) GET is sent.
Using Chrome browser, at the first time load, Chrome do 1 GET for the URL specified and 1 GET for the favicon.
Using "Live HTTP Headers" plugin for chrome I can see that and I think you can reproduce it.

Regards.

from helmet.

I can't reproduce it with a simple app. Could you compare with this code and see what is different?

Also, what favicon middleware are you using?

from helmet.

I don't use the same favicon middleware than you, I use the default included by express 4 named 'static-favicon'.

Here is mine

Using 'serve-favicon' middleware is working fine.
Do you you know why when static-favicon is used we have this result ?

from helmet.

I can't reproduce this...have you tried:

1. Updating your modules to the latest versions
2. app.disable('x-powered-by') in addition to Helmet
3. Clearing your caches to make sure you're not getting an old version before you added Helmet
4. Upgrading static-favicon to serve-favicon, the officially-supported version

from helmet.

yes using serve-favicon instead static-favicon result helmet rewriting good http header for the favicon GET.
I'm sorry for this 👍
But it's the default favicon middleware used by 'express' command line bin to generate a starting project.

from helmet.

Okay. Sounds like a bug in express-generator!

Is this solved?

from helmet.

Yes this is solved thank you Evan.
You may be put an alert if a project use 'static-favicon' middleware and say to the user to use 'serve-favicon' and why. :)
Like a console.log();

from helmet.

Okay -- I might do that! Glad we could help.

from helmet.