Comments (13)
Are you saying you told express to not include the x-powered-by header and it's being included anyway because of a double request?
On Jun 23, 2014, at 11:47 PM, panpansh [email protected] wrote:
Because I'm using chrome, this browser want to get the favicon.ico by a second GET. And this GET header containing X-Powered-By: Express.
—
Reply to this email directly or view it on GitHub.
from helmet.
Sorry for my bad english it's better by exemple :)
Chrome pointed to http://localhost:3000
RESULT :
http:/localhost:3000/ :
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache
Connection: keep-alive
Content-Length: 598
Content-Type: text/html; charset=utf-8
Date: Tue, 24 Jun 2014 15:52:04 GMT
ETag: "2143792699"
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-FRAME-OPTIONS: DENY
X-XSS-Protection: 1; mode=block
http://localhost:3000/favicon.ico :
HTTP/1.1 200 OK
Cache-Control: public, max-age=86400
Content-Length: 1406
Content-Type: image/x-icon
Date: Mon, 23 Jun 2014 23:19:45 GMT
ETag: "33e3ea7fc9c08d2e72730482906a676c"
X-Powered-By: Express
from helmet.
Can you tell me how you have helmet configured?
On Jun 24, 2014, at 8:57 AM, panpansh [email protected] wrote:
Sorry for my bad english it's better by exemple :)
http:/localhost:3000/ result :
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache
Connection: keep-alive
Content-Length: 598
Content-Type: text/html; charset=utf-8
Date: Tue, 24 Jun 2014 15:52:04 GMT
ETag: "2143792699"
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-FRAME-OPTIONS: DENY
X-XSS-Protection: 1; mode=blockhttp://localhost:3000/favicon.ico result :
HTTP/1.1 200 OK
Cache-Control: public, max-age=86400
Content-Length: 1406
Content-Type: image/x-icon
Date: Mon, 23 Jun 2014 23:19:45 GMT
ETag: "33e3ea7fc9c08d2e72730482906a676c"
X-Powered-By: Express—
Reply to this email directly or view it on GitHub.
from helmet.
by default : app.use(helmet.defaults());
from helmet.
I'd imagine that you're including the favicon middleware before Helmet. You probably have something that looks like this:
app.use(faviconMiddleware())
app.use(helmet.defaults())
To fix this, you'll want to switch the order:
app.use(helmet.defaults())
app.use(faviconMiddleware())
Is that correct?
Alternatively, you can do this for Express (anywhere):
app.disable('x-powered-by')
from helmet.
That is my order same than your fix :
var helmet = require('helmet');
...
var app = express();
app.use(helmet.defaults());
...
app.use(favicon());
Else, after that I want to use all functionalities of your middleware : don't wan't to use the app.disable();
Using httpie tool or telnet I have no problem with that because 1(one only) GET is sent.
Using Chrome browser, at the first time load, Chrome do 1 GET for the URL specified and 1 GET for the favicon.
Using "Live HTTP Headers" plugin for chrome I can see that and I think you can reproduce it.
Regards.
from helmet.
I can't reproduce it with a simple app. Could you compare with this code and see what is different?
Also, what favicon middleware are you using?
from helmet.
I don't use the same favicon middleware than you, I use the default included by express 4 named 'static-favicon'.
Using 'serve-favicon' middleware is working fine.
Do you you know why when static-favicon is used we have this result ?
from helmet.
I can't reproduce this...have you tried:
- Updating your modules to the latest versions
app.disable('x-powered-by')
in addition to Helmet- Clearing your caches to make sure you're not getting an old version before you added Helmet
- Upgrading
static-favicon
toserve-favicon
, the officially-supported version
from helmet.
yes using serve-favicon
instead static-favicon
result helmet rewriting good http header for the favicon GET.
I'm sorry for this 👍
But it's the default favicon middleware used by 'express' command line bin to generate a starting project.
from helmet.
Okay. Sounds like a bug in express-generator!
Is this solved?
from helmet.
Yes this is solved thank you Evan.
You may be put an alert if a project use 'static-favicon' middleware and say to the user to use 'serve-favicon' and why. :)
Like a console.log();
from helmet.
Okay -- I might do that! Glad we could help.
from helmet.
Related Issues (20)
- Getting Error Type 'typeof import("/home/quophyie/projects/helmet-issue/node_modules/helmet/index")' has no call signatures when running tests with jest, ts-jest when using ESM / ECMAScript Modules HOT 13
- helmet + sanitizeFilter HOT 1
- Require Node 18+ HOT 5
- Support `unsafe-none` in `helmet.crossOriginEmbedderPolicy`? HOT 1
- Typescript required versions HOT 2
- 7.1.0 Rollup error HOT 17
- Disable HSTS headers by default on localhost HOT 9
- Error "script-src-elem" is an invalid directive HOT 3
- 'self' and 'none' values lack quotes HOT 4
- swagger HOT 2
- Getting Name of Blocked Script? HOT 3
- Increase default Strict-Transport-Security maxAge to 1 year HOT 3
- remove block-all-mixed-content from helmet-csp default directives HOT 6
- helmet default directives doesnt match helmet-csp default directives HOT 3
- Strict-Transport-Security middleware should throw, not warn, when misspelling "includeSubDomains" option HOT 2
- Content-Security-Policy `getDefaultDirectives` should return a deep copy HOT 3
- csp header lack `script-src-elem` HOT 4
- [feature request] "simple allow everything" setting for development work? HOT 6
- Question: XSS HOT 3
- Request to add `Permissions-Policy` header HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from helmet.