Remove client application headers from API responses #4569
Labels
💻 aspect: code
Concerns the software code in the repository
🧰 goal: internal improvement
Improvement that benefits maintainers, not users
🟨 priority: medium
Not blocking but should be addressed soon
🧱 stack: api
Related to the Django API
Problem
openverse/api/api/middleware/response_headers_middleware.py
Lines 22 to 24 in 2cb8b5e
The code linked above adds the client application name and verification status to response headers. This is useful when we scan Nginx request logs. However, it also makes responses that would not otherwise be sensitive to the authorization header suddenly sensitive.
Thumbnails, for example, can be universally cached at the edge without issue. However, when an authorization header is present, the cache (correctly) will bypass and send the request upstream. That is only correct and necessary behaviour due to our inclusion of authorization sensitive materials in responses.
Description
If we remove these headers from responses (and instead log them to our structured API logging), we can use more aggressive caching for thumbnails that does not vary on the authorization header.
The text was updated successfully, but these errors were encountered: