Removing "Server" response header

Not applicable

I'm trying to remove the "Server" : "Apigee Router" header from the response.

I tried removing it using an Assign Message Policy in the Proxy Endpoints' PreFlow but it didn't do it.

Then tried the same in PostFlow and then in TargetEndPoints' pre/post flow - still didn't work.

Here's the policy I have in place:

<AssignMessage async="false" continueOnError="false" enabled="true" name="removeServerHeader">
    <DisplayName>removeServerHeader</DisplayName>
    <AssignTo createNew="false" transport="http" type="response"/>
    <Properties/>
    <Remove>
        <Headers>
            <Header name="Server"/>
        </Headers>
    </Remove>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</AssignMessage>
Solved Solved
3 10 4,487
1 ACCEPTED SOLUTION

Not applicable

That header gets added by the Apigee router which is in front of the Message processors, you cannot delete using the policies @Anandakumar.Subramaniam

View solution in original post

10 REPLIES 10

@Anandakumar.Subramaniam , Great Question, Thank you for highlighting this issue. Yes, I can able to reproduce same.

Looks like AssignMessage policy is removing existing header from target server , but after the flows looks like router is adding this header again before sending back to the client.

3518-removeheader.png

@arghya das Any idea ?

Not applicable

I meant to post this as a Question.

I'm not able remove the "Server" header entirely. The closest I've gotten to is setting the value to something non-empty using the <Set /> element viz.

    <Set>
        <Headers>
            <Header name="Server">N/A</Header>
        </Headers>
    </Set> 

So if anyone is aware of a way to remove the "Server" header from response entirely, I would appreciate if you share it.

Thanks!

Not applicable

That header gets added by the Apigee router which is in front of the Message processors, you cannot delete using the policies @Anandakumar.Subramaniam

Hi @Maruti Chand,

So what is the other option to remove 'Server' header from the response?

Regards,

Tomasz

@Maruti Chand - We would like to achieve this as well. I think any pen testing will raise it as a concern.

Hi @jaskarangump, It can be removed at the router, pls raise a support ticket for the same.

getting back on this, I ended up using an assign-message policy to assign a non-empty value (viz. ".") to the 'server' header.

Hi @jaskarangump ,

If you have on-premise installation, you need to set the following:

load.balancing.driver.nginx.var.server.name.val to NULL

on router machine.

Please let me know if that helps.

BR, Tomasz

I believe the property name now on the router.properties file is:

conf_load_balancing_load.balancing.driver.nginx.var.server.name.val='Desired String'


If a null value is what you want:
conf_load_balancing_load.balancing.driver.nginx.var.server.name.val=

Hope this helps!

Thanks for contributing to the community!