feat(secure-headers): remove "X-Powered-By" should be an option (hono…

…js#3177) * fix: Secure-Headers delete "X-Powered-By" should be an option * fix: Secure-Headers delete "X-Powered-By" should be an option * Update index.test.ts * chore: format * Update secure-headers.ts * update tests * update middleware * chore * change prop name * chore * chore: format * revert the change of arg name * some fix * chore
K-tecchan · Jul 27, 2024 · 8da482a · 8da482a
1 parent e8118e3
commit 8da482a
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 1 deletion.
diff --git a/src/middleware/secure-headers/index.test.ts b/src/middleware/secure-headers/index.test.ts
@@ -405,4 +405,33 @@ describe('Secure Headers Middleware', () => {
     expect(csp).toMatch(`style-src 'self' 'nonce-styleSrc'`)
     expect(await res.text()).toEqual('script: scriptSrc, style: styleSrc')
   })
+
+  it('Remove X-Powered-By', async () => {
+    const app = new Hono()
+
+    app.get('/test', secureHeaders(), poweredBy(), async (c) => {
+      return c.text('Hono is cool')
+    })
+
+    app.get(
+      '/test2',
+      secureHeaders({
+        removePoweredBy: false,
+      }),
+      poweredBy(),
+      async (c) => {
+        return c.text('Hono is cool')
+      }
+    )
+
+    const res = await app.request('/test')
+    const poweredby = res.headers.get('X-Powered-By')
+    expect(poweredby).toEqual(null)
+    expect(await res.text()).toEqual('Hono is cool')
+
+    const res2 = await app.request('/test2')
+    const poweredby2 = res2.headers.get('X-Powered-By')
+    expect(poweredby2).toEqual('Hono')
+    expect(await res2.text()).toEqual('Hono is cool')
+  })
 })
diff --git a/src/middleware/secure-headers/secure-headers.ts b/src/middleware/secure-headers/secure-headers.ts
@@ -72,6 +72,7 @@ interface SecureHeadersOptions {
   xFrameOptions?: overridableHeader
   xPermittedCrossDomainPolicies?: overridableHeader
   xXssProtection?: overridableHeader
+  removePoweredBy?: boolean
 }
 
 type HeadersMap = {
@@ -106,6 +107,7 @@ const DEFAULT_OPTIONS: SecureHeadersOptions = {
   xFrameOptions: true,
   xPermittedCrossDomainPolicies: true,
   xXssProtection: true,
+  removePoweredBy: true,
 }
 
 type SecureHeadersCallback = (
@@ -151,6 +153,7 @@ export const NONCE: ContentSecurityPolicyOptionHandler = (ctx) => {
  * @param {overridableHeader} [customOptions.xFrameOptions=true] - Settings for the X-Frame-Options header.
  * @param {overridableHeader} [customOptions.xPermittedCrossDomainPolicies=true] - Settings for the X-Permitted-Cross-Domain-Policies header.
  * @param {overridableHeader} [customOptions.xXssProtection=true] - Settings for the X-XSS-Protection header.
+ * @param {boolean} [customOptions.removePoweredBy=true] - Settings for remove X-Powered-By header.
  * @returns {MiddlewareHandler} The middleware handler function.
  *
  * @example
@@ -189,7 +192,10 @@ export const secureHeaders = (customOptions?: SecureHeadersOptions): MiddlewareH
         : callbacks.reduce((acc, cb) => cb(ctx, acc), headersToSet)
     await next()
     setHeaders(ctx, headersToSetForReq)
-    ctx.res.headers.delete('X-Powered-By')
+
+    if (options?.removePoweredBy) {
+      ctx.res.headers.delete('X-Powered-By')
+    }
   }
 }