Security response headers stripped by edge proxy (similar to Accept-Encoding issue)
globallayer
HOBBYOP

2 months ago

Security headers set by my Fastify app (using @fastify/helmet) are being stripped by the edge proxy before reaching

clients. This is similar to the

https://station.railway.com/questions/new-proxy-stripping-accept-encoding-head-56fb16a0 that Brody fixed in September

Headers missing in production but present locally:

- Content-Security-Policy

- Strict-Transport-Security

- X-Frame-Options

- X-Content-Type-Options

- Referrer-Policy

Headers that DO pass through: access-control-*, x-ratelimit-*

Project: pretty-nurturing-production

Test: curl -I https://pretty-nurturing-production.up.railway.app/health

Locally all headers appear. Through Railway edge proxy, security headers are stripped.

Can the edge proxy be updated to pass through security headers?

Solved

3 Replies

Status changed to Awaiting Railway Response Railway about 2 months ago

globallayer
HOBBYOP

2 months ago

up

brody
EMPLOYEE

2 months ago

We don't strip any of these headers.

Attachments

image.png

Status changed to Awaiting User Response Railway about 2 months ago

globallayer
HOBBYOP

a month ago

Thanks !

Status changed to Awaiting Railway Response Railway about 1 month ago

Status changed to Solved brody about 1 month ago

Welcome!

Sign in to your Railway account to join the conversation.

Login
Loading...