R
Railway5mo ago
Medikornov

Railway overwrites server header

we need to remove server header due to security reasons. Our app is built on FastAPI, locally everything seems to be working fine by using this command 
uvicorn src.main:app --no-server-header
uvicorn src.main:app --no-server-header
server header is removed. When deploying to railway we are having this railway.toml file 
[deploy]
numReplicas = 1
startCommand = "alembic upgrade head && uvicorn src.main:app --no-server-header --host 0.0.0.0 --port $PORT"
restartPolicyType = "ON_FAILURE"
restartPolicyMaxRetries = 10
[deploy]
numReplicas = 1
startCommand = "alembic upgrade head && uvicorn src.main:app --no-server-header --host 0.0.0.0 --port $PORT"
restartPolicyType = "ON_FAILURE"
restartPolicyMaxRetries = 10
But it seems that railway overwrites the server header, because it is still set to "server: railway". Is it possible to somehow disable this?
Solution:
Railway does not provide a way to disable the server header they are setting, it would be helpful if you could go more in depth on why you need it removed
Jump to solution
4 Replies
Percy
Percy5mo ago
Project ID: N/A
Solution
Brody
Brody5mo ago
Railway does not provide a way to disable the server header they are setting, it would be helpful if you could go more in depth on why you need it removed
Medikornov
Medikornov5mo ago
We are trying to pass ADA CASA Tier 2 assessment. After dynamic scan we got this recommendation: 
Configure all proxies, application servers, and web servers to prevent disclosure of the technology and version
information in the 'Server' and 'X-Powered-By' HTTP response headers.
Configure all proxies, application servers, and web servers to prevent disclosure of the technology and version
information in the 'Server' and 'X-Powered-By' HTTP response headers.
Brody
Brody5mo ago
the server header that railway sets does not disclose any of the technologies involved in serving the page unlike a nginx server header
Want results from more Discord servers?
Add your server