Drop the Strict-Transport-Security response header #1862 (#1984)

Tratcher · web-flow · commit f26d0f1d324d · 2023-01-04T18:45:19.000Z
diff --git a/docs/docfx/articles/header-guidelines.md b/docs/docfx/articles/header-guidelines.md
@@ -9,7 +9,7 @@ Headers are a very important part of processing HTTP requests and each have thei
 
 ## YARP header filtering
 
-YARP automatically removes request and response headers that could impact its ability to forward a request correctly, or that may be used maliciously to bypass features of the proxy. A complete list can be found [here](https://github.com/microsoft/reverse-proxy/blob/b0a24521b269c030c50617f9fc56be9b8a3fe247/src/ReverseProxy/Forwarder/RequestUtilities.cs#L65-L81), with some highlights described below.
+YARP automatically removes request and response headers that could impact its ability to forward a request correctly, or that may be used maliciously to bypass features of the proxy. A complete list can be found [here](https://github.com/microsoft/reverse-proxy/blob/main/src/ReverseProxy/Forwarder/RequestUtilities.cs#L63), with some highlights described below.
 
 ### Connection, KeepAlive, Close
 
diff --git a/src/ReverseProxy/Forwarder/RequestUtilities.cs b/src/ReverseProxy/Forwarder/RequestUtilities.cs
@@ -60,7 +60,7 @@ internal static bool ShouldSkipResponseHeader(string headerName)
         return _headersToExclude.Contains(headerName);
     }
 
-    private static readonly HashSet<string> _headersToExclude = new(17, StringComparer.OrdinalIgnoreCase)
+    private static readonly HashSet<string> _headersToExclude = new(18, StringComparer.OrdinalIgnoreCase)
     {
         HeaderNames.Connection,
         HeaderNames.TransferEncoding,
@@ -79,6 +79,7 @@ internal static bool ShouldSkipResponseHeader(string headerName)
         HeaderNames.UpgradeInsecureRequests,
         HeaderNames.TE,
         HeaderNames.AltSvc,
+        HeaderNames.StrictTransportSecurity,
     };
 
     // Headers marked as HttpHeaderType.Content in
diff --git a/test/ReverseProxy.Tests/Forwarder/HttpTransformerTests.cs b/test/ReverseProxy.Tests/Forwarder/HttpTransformerTests.cs
@@ -33,6 +33,7 @@ public class HttpTransformerTests
         HeaderNames.UpgradeInsecureRequests,
         HeaderNames.TE,
         HeaderNames.AltSvc,
+        HeaderNames.StrictTransportSecurity,
     };
 
     [Fact]

Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,7 @@ internal static bool ShouldSkipResponseHeader(string headerName)`
`60`	`60`	`return _headersToExclude.Contains(headerName);`
`61`	`61`	`}`
`62`	`62`
`63`		`- private static readonly HashSet<string> _headersToExclude = new(17, StringComparer.OrdinalIgnoreCase)`
	`63`	`+ private static readonly HashSet<string> _headersToExclude = new(18, StringComparer.OrdinalIgnoreCase)`
`64`	`64`	`{`
`65`	`65`	`HeaderNames.Connection,`
`66`	`66`	`HeaderNames.TransferEncoding,`
`@@ -79,6 +79,7 @@ internal static bool ShouldSkipResponseHeader(string headerName)`
`79`	`79`	`HeaderNames.UpgradeInsecureRequests,`
`80`	`80`	`HeaderNames.TE,`
`81`	`81`	`HeaderNames.AltSvc,`
	`82`	`+ HeaderNames.StrictTransportSecurity,`
`82`	`83`	`};`
`83`	`84`
`84`	`85`	`// Headers marked as HttpHeaderType.Content in`