Server header on upgrade request

1. Caddy version (caddy version):


2. How I run Caddy:

a. System environment:

systemd on archlinux

b. Command:

systemctl start caddy

c. Service/unit/compose file:


d. My complete Caddyfile or JSON config:

    admin off
    auto_https disable_redirects
    email user@domain.tld

(common) {
	header {
		permissions-policy interest-cohort=()
		strict-transport-security max-age=31536000
	encode gzip

(proxy) {
	import common
	@shared path /favicon.ico /robots.txt
	reverse_proxy @shared https://www.domain.tld {
		header_up Host {http.reverse_proxy.upstream.hostport}
	tls user@domain.tld

http:// {
	import common
	redir https://{host}{uri} permanent

www.domain.tld {
    import common
	root * /srv/http/www

app.domain.tld {
	import proxy 3001

3. The problem I’m having:

I try to hide the HTTP server I am using for security reasons and use header -server directive for this purpose. It’s fine with this configuration but not when using websocket: it is still in the response to the upgrade request with app.domain.tld. Is there a way to remove it?

4. Error messages and/or full log output:


5. What I already tried:

  • search the doc,
  • search this forum,
  • search with ddg and google.

6. Links to relevant resources:


1 Like

You don’t gain anything security-wise from removing that header. Knowing which server software is serving the request doesn’t really change how an attacker might attempt exploits.

If it actually mattered in terms of security, we wouldn’t have the header set by default.

It has practical benefit for debugging, helping to know whether you actually hit the server you expected (e.g. instead of your legacy apache server maybe).

I think what’s going on is when you use the - header operation, it implicitly turns on defer, so header operations are delayed until when the response is being written out (i.e. after proxying).

But since websockets is implemented by hijacking the connection, anything that’s deferred will never happen, since it’s being turned into a TCP pipe by the reverse_proxy module.

I don’t think there’s currently a way via Caddyfile to make - operations not be deferred (because it rarely makes sense to remove a header before any has been written by some terminal HTTP handler), but Server would be the only case where that would make sense because Caddy sets that header first-thing in the request handling pipeline.

You could adapt your config to JSON and remove the "defer": true if you really care (but I don’t think you should care).

1 Like

Thank you for your detailed answer.

This topic was automatically closed after 30 days. New replies are no longer allowed.