Drop the Strict-Transport-Security response header #1862 (#1984)

microsoft · Jan 4, 2023 · f26d0f1 · f26d0f1
1 parent 659aa0b
commit f26d0f1
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 2 deletions.
diff --git a/docs/docfx/articles/header-guidelines.md b/docs/docfx/articles/header-guidelines.md
@@ -9,7 +9,7 @@ Headers are a very important part of processing HTTP requests and each have thei
 
 ## YARP header filtering
 
-YARP automatically removes request and response headers that could impact its ability to forward a request correctly, or that may be used maliciously to bypass features of the proxy. A complete list can be found [here](https://github.com/microsoft/reverse-proxy/blob/b0a24521b269c030c50617f9fc56be9b8a3fe247/src/ReverseProxy/Forwarder/RequestUtilities.cs#L65-L81), with some highlights described below.
+YARP automatically removes request and response headers that could impact its ability to forward a request correctly, or that may be used maliciously to bypass features of the proxy. A complete list can be found [here](https://github.com/microsoft/reverse-proxy/blob/main/src/ReverseProxy/Forwarder/RequestUtilities.cs#L63), with some highlights described below.
 
 ### Connection, KeepAlive, Close
 

diff --git a/src/ReverseProxy/Forwarder/RequestUtilities.cs b/src/ReverseProxy/Forwarder/RequestUtilities.cs
@@ -60,7 +60,7 @@ internal static bool ShouldSkipResponseHeader(string headerName)
         return _headersToExclude.Contains(headerName);
     }
 
-    private static readonly HashSet<string> _headersToExclude = new(17, StringComparer.OrdinalIgnoreCase)
+    private static readonly HashSet<string> _headersToExclude = new(18, StringComparer.OrdinalIgnoreCase)
     {
         HeaderNames.Connection,
         HeaderNames.TransferEncoding,
@@ -79,6 +79,7 @@ internal static bool ShouldSkipResponseHeader(string headerName)
         HeaderNames.UpgradeInsecureRequests,
         HeaderNames.TE,
         HeaderNames.AltSvc,
+        HeaderNames.StrictTransportSecurity,
     };
 
     // Headers marked as HttpHeaderType.Content in

diff --git a/test/ReverseProxy.Tests/Forwarder/HttpTransformerTests.cs b/test/ReverseProxy.Tests/Forwarder/HttpTransformerTests.cs
@@ -33,6 +33,7 @@ public class HttpTransformerTests
         HeaderNames.UpgradeInsecureRequests,
         HeaderNames.TE,
         HeaderNames.AltSvc,
+        HeaderNames.StrictTransportSecurity,
     };
 
     [Fact]