Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to not expose via in header ? #185

Open
foremtehan opened this issue Nov 6, 2021 · 4 comments
Open

How to not expose via in header ? #185

foremtehan opened this issue Nov 6, 2021 · 4 comments

Comments

@foremtehan
Copy link

foremtehan commented Nov 6, 2021
edited
Loading

Looks like wappalyzer able to detect the heroku apps by checking the via header:

https://github.com/AliasIO/wappalyzer/blob/7b54cb8487350a5d5ea95d02414f83ce3cd06cd1/src/technologies/h.json#L341-L357

Is there any possibility to not expose that header or any other info from heroku ?

This is kinda of privacy issue
@ferd
Copy link
Contributor

ferd commented Nov 6, 2021

The via header is required by the HTTP specification for proxies, and is unconditionally added by Vegur to responses.

Heroku support might be able to offer solutions, or services like cloudflare or fastly could mask such a value, but the code as written leaves no room for alternatives.

@hartwork
Copy link

hartwork commented Apr 28, 2024
edited
Loading

The via header is required by the HTTP specification for proxies

Do you have a source on that? I'd be curios, in particular because reverse proxy Caddy does not seem to add that header.

This is kinda of privacy issue

I believe you mean "security by obscurity" (which can help but is not a fix), but not privacy.

@ferd
Copy link
Contributor

ferd commented Apr 29, 2024
edited
Loading

It was part of RFC 2068

14.44 Via

   The Via general-header field MUST be used by gateways and proxies to
   indicate the intermediate protocols and recipients between the user
   agent and the server on requests, and between the origin server and
   the client on responses. It is analogous to the "Received" field of
   RFC 822 and is intended to be used for tracking message forwards,
   avoiding request loops, and identifying the protocol capabilities of
   all senders along the request/response chain.

It was still present in RFC 7230 (and the relevant segment is still in 9110) except it made it optional on responses—which had escaped me—but Vegur had its development started in 2014, before or concurrently with RFC 7230 becoming standard and was still in sync with RFC 2038:

5.7.1.  Via
[...]
A proxy MUST send an appropriate Via header field, as described
   below, in each message that it forwards.  An HTTP-to-HTTP gateway
   MUST send an appropriate Via header field in each inbound request
   message and MAY send a Via header field in forwarded response
   messages.

at this point in time I don't believe Heroku still uses Vegur in production though, but I haven't worked there in 8+ years.

@hartwork
Copy link

@ferd interesting, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ferd @hartwork @foremtehan