Add x-powered-by header

2023-02-27 09:22:59 +01:00 · 2023-02-27 09:22:59 +01:00 · 4765348107
parent 357308ce22
commit 4765348107
6 changed files with 24 additions and 5 deletions
--- a/config/default.yaml
+++ b/config/default.yaml
@ -288,6 +288,11 @@ security:
  frameguard:
    enabled: true

+  # Set x-powered-by HTTP header to "PeerTube"
+  # Can help remote software to know this is a PeerTube instance
+  powered_by_header:
+    enabled: true
+
 tracker:
  # If you disable the tracker, you disable the P2P on your PeerTube instance
  enabled: true
--- a/config/production.yaml.example
+++ b/config/production.yaml.example
@ -286,6 +286,11 @@ security:
  frameguard:
    enabled: true

+  # Set x-powered-by HTTP header to "PeerTube"
+  # Can help remote software to know this is a PeerTube instance
+  powered_by_header:
+    enabled: true
+
 tracker:
  # If you disable the tracker, you disable the P2P on your PeerTube instance
  enabled: true
--- a/server.ts
+++ b/server.ts
@ -56,8 +56,13 @@ try {
 app.set('trust proxy', CONFIG.TRUST_PROXY)

 app.use((_req, res, next) => {
+  // OpenTelemetry
  res.locals.requestStart = Date.now()

+  if (CONFIG.SECURITY.POWERED_BY_HEADER.ENABLED === true) {
+    res.setHeader('x-powered-by', 'PeerTube')
+  }
+
  return next()
 })

--- a/server/initializers/checker-before-init.ts
+++ b/server/initializers/checker-before-init.ts
@ -26,7 +26,7 @@ function checkMissedConfig () {
    'user.video_quota', 'user.video_quota_daily',
    'video_channels.max_per_user',
    'csp.enabled', 'csp.report_only', 'csp.report_uri',
-    'security.frameguard.enabled',
+    'security.frameguard.enabled', 'security.powered_by_header.enabled',
    'cache.previews.size', 'cache.captions.size', 'cache.torrents.size', 'admin.email', 'contact_form.enabled',
    'signup.enabled', 'signup.limit', 'signup.requires_approval', 'signup.requires_email_verification', 'signup.minimum_age',
    'signup.filters.cidr.whitelist', 'signup.filters.cidr.blacklist',
--- a/server/initializers/config.ts
+++ b/server/initializers/config.ts
@ -236,6 +236,9 @@ const CONFIG = {
  SECURITY: {
    FRAMEGUARD: {
      ENABLED: config.get<boolean>('security.frameguard.enabled')
+    },
+    POWERED_BY_HEADER: {
+      ENABLED: config.get<boolean>('security.powered_by_header.enabled')
    }
  },
  TRACKER: {
--- a/server/tests/api/server/config.ts
+++ b/server/tests/api/server/config.ts
@ -561,15 +561,13 @@ describe('Test config', function () {
  })

  it('Should remove the custom configuration', async function () {
-    this.timeout(10000)
-
    await server.config.deleteCustomConfig()

    const data = await server.config.getCustomConfig()
    checkInitialConfig(server, data)
  })

-  it('Should enable frameguard', async function () {
+  it('Should enable/disable security headers', async function () {
    this.timeout(25000)

    {
@ -580,13 +578,15 @@ describe('Test config', function () {
      })

      expect(res.headers['x-frame-options']).to.exist
+      expect(res.headers['x-powered-by']).to.equal('PeerTube')
    }

    await killallServers([ server ])

    const config = {
      security: {
-        frameguard: { enabled: false }
+        frameguard: { enabled: false },
+        powered_by_header: { enabled: false }
      }
    }
    await server.run(config)
@ -599,6 +599,7 @@ describe('Test config', function () {
      })

      expect(res.headers['x-frame-options']).to.not.exist
+      expect(res.headers['x-powered-by']).to.not.exist
    }
  })