From ef483403da38c37384f543b0899049c7ef02b4d4 Mon Sep 17 00:00:00 2001
From: yusing <yusing@6uo.me>
Date: Tue, 22 Apr 2025 15:58:53 +0800
Subject: [PATCH] security: drop service headers

---
 internal/net/gphttp/httpheaders/utils.go              | 5 +++++
 internal/net/gphttp/reverseproxy/reverse_proxy_mod.go | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/internal/net/gphttp/httpheaders/utils.go b/internal/net/gphttp/httpheaders/utils.go
index 00bed76..2f348ca 100644
--- a/internal/net/gphttp/httpheaders/utils.go
+++ b/internal/net/gphttp/httpheaders/utils.go
@@ -82,6 +82,11 @@ func RemoveHop(h http.Header) {
 	}
 }
 
+func RemoveServiceHeaders(h http.Header) {
+	h.Del("X-Powered-By")
+	h.Del("Server")
+}
+
 func CopyHeader(dst, src http.Header) {
 	for k, vv := range src {
 		for _, v := range vv {
diff --git a/internal/net/gphttp/reverseproxy/reverse_proxy_mod.go b/internal/net/gphttp/reverseproxy/reverse_proxy_mod.go
index 49988f0..4e37d73 100644
--- a/internal/net/gphttp/reverseproxy/reverse_proxy_mod.go
+++ b/internal/net/gphttp/reverseproxy/reverse_proxy_mod.go
@@ -380,6 +380,8 @@ func (p *ReverseProxy) handler(rw http.ResponseWriter, req *http.Request) {
 		}()
 	}
 
+	httpheaders.RemoveServiceHeaders(res.Header)
+
 	// Deal with 101 Switching Protocols responses: (WebSocket, h2c, etc)
 	if res.StatusCode == http.StatusSwitchingProtocols {
 		if !p.modifyResponse(rw, res, req, outreq) {