Railway•6mo ago

Railway overwrites server header

we need to remove server header due to security reasons. Our app is built on FastAPI, locally everything seems to be working fine by using this command

uvicorn src.main:app --no-server-header

uvicorn src.main:app --no-server-header

server header is removed. When deploying to railway we are having this railway.toml file

[deploy]
numReplicas = 1
startCommand = "alembic upgrade head && uvicorn src.main:app --no-server-header --host 0.0.0.0 --port $PORT"
restartPolicyType = "ON_FAILURE"
restartPolicyMaxRetries = 10

[deploy]
numReplicas = 1
startCommand = "alembic upgrade head && uvicorn src.main:app --no-server-header --host 0.0.0.0 --port $PORT"
restartPolicyType = "ON_FAILURE"
restartPolicyMaxRetries = 10

But it seems that railway overwrites the server header, because it is still set to "server: railway". Is it possible to somehow disable this?

Solution:

Railway does not provide a way to disable the server header they are setting, it would be helpful if you could go more in depth on why you need it removed

Jump to solution

4 Replies

Percy•6mo ago

Project ID: N/A

Solution

Brody•6mo ago

Railway does not provide a way to disable the server header they are setting, it would be helpful if you could go more in depth on why you need it removed

MedikornovOP•6mo ago

We are trying to pass ADA CASA Tier 2 assessment. After dynamic scan we got this recommendation:

Configure all proxies, application servers, and web servers to prevent disclosure of the technology and version
information in the 'Server' and 'X-Powered-By' HTTP response headers.

Configure all proxies, application servers, and web servers to prevent disclosure of the technology and version
information in the 'Server' and 'X-Powered-By' HTTP response headers.

Brody•6mo ago

the server header that railway sets does not disclose any of the technologies involved in serving the page unlike a nginx server header

Gaming

Programming

Railway overwrites server header