Can via header be disabled?

Can the ‘via’ header parameter attached with every response be disabled?
I don’t want it to be there for some security purposes.
Or if it can’t be disabled within fly.io is there any other ways?
Thanks in advance.

image

Update: There seems to be ways with Cloudflare.
But can it be dealt with fly.io itself?

We don’t currently have a way to disable the via header, but that’s a good idea.

What security issue are you trying to prevent? Even without the via header, it’s easy to whois the IP address for an app and see that it’s running on Fly.io.

It’s usually a tick box thing for security assessments.

1 Like

Thats where Cloudflare proxy comes into play right!
I just thought it would be nice if there is a way instead of using Cloudflare to tinker with it.
(PS: Thanks for the info)

Can you show us where they make this possible? Are you talking about Cloudflare Workers or is it an option in their admin UI?

You can manipulate headers in Cloudflare using Workers, or using their standard Transform rules:

https://developers.cloudflare.com/workers/examples/alter-headers

It also seems like the via header is not set when not using the Fly http proxy, so having SSL handled in-app (using the Cloudflare proxy, ie orange-cloud, but have the SSL cert installed in the app).

So three different options if you are using Cloudflare.

@Sam1 @matthewford @greg This should now be possible with this: New Feature: Basic HTTP response header modification

2 Likes