If I output config.action_dispatch.default_headers in my application.rb I see all the standard rails headers:
{"X-Frame-Options"=>"SAMEORIGIN", "X-XSS-Protection"=>"1; mode=block", "X-Content-Type-Options"=>"nosniff", "X-Download-Options"=>"noopen", "X-Permitted-Cross-Domain-Policies"=>"none", "Referrer-Policy"=>"strict-origin-when-cross-origin"}
However if I then make a request to my app (with curl/browser/postman) I don't see any of the above. I only see the following:
$ curl -v -XGET 'localhost:4000/myresource/581'
* TCP_NODELAY set
* Connected to localhost (::1) port 4000 (#0)
> GET /myresource/581 HTTP/1.1
> Host: localhost:4000
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: application/json; charset=utf-8
< ETag: W/"292a7d87b10e292374e765dd0b56fee7"
< Cache-Control: max-age=0, private, must-revalidate
< X-Request-Id: 7ff75ff6-f598-4489-9439-a4c17c6a5480
< X-Runtime: 0.025049
< Transfer-Encoding: chunked
<
This is all running locally with no web server/proxy. In production I am missing the same headers.
Is Rails API mode removing headers that it thinks are irrelevant for APIs? Or could it only be some other code in my app that is doing this?
Rails 5.x in API mode does not include the ActionDispatch default headers.
It is an issue: https://github.com/rails/rails/issues/34940.
But it is fixed now and will be available in version 6.0.0: https://github.com/rails/rails/pull/32484