How to Override the gunicorn Server Header2021-01-03
In all current releases of the popular WSGI server gunicorn, the
Server header reports the complete version of gunicorn.
I spotted this on my new project DB Buddy.
For example, with httpie to check the response headers:
Reporting the version of server software is not recommended as it is a security risk.
Server and other vanity headers first in their article The headers we don’t want.
In many setups, gunicorn’s
Server header will be overwritten.
For example if you’re using Nginx, it will replace
Server with its own version (disable that with its
But my app is running on Heroku which preserves the gunicorn
Because of the security risk, there has been a long ongoing gunicorn issue to remove the version from the gunicorn header, leaving it as
The Pull Request to remove the version was merged nearly a year ago but is still pending release.
Until then, we can use the workaround suggested in the original issue: monkey-patch the
SERVER_SOFTWARE attribute that gunicorn uses to fill in the
I’m configuring gunicorn with a submodule of my app’s package,
So this is where I add the recommended monkey-patch:
I added a version check before the monkey-patch. I normally do such a check when monkey-patching to add behaviour expected in a future upstream release.
(N.B. I use
max_requests to avoid memory leaks.)
I run gunicorn like this:
And indeed I can now see the changed
I like tests, so I also have test coverage for my gunicorn config file.
gunicorn provides the ability to validate its configuration with
To avoid the need to run this command separately to my tests, and to ensure its use of the config file appears in my test coverage, I invoke the internal gunicorn CLI function.
I then assert that it tries to exit with an expected status code:
I hope this helps you configure your gunicorn,
Working on a Django project? Check out my book Speed Up Your Django Tests which covers loads of best practices so you can write faster, more accurate tests.
One summary email a week, no spam, I pinky promise.
- The Simplest WSGI Middleware
- Feature Checking versus Version Checking
- How to Make Django Redirect WWW to Your Bare Domain
Tags: django, python
© 2021 All rights reserved.