Add docs for overriding Server header with Uvicorn

cak · cak · commit 5323dfc9e288 · 2024-09-25T06:18:52.000-04:00
- Added note to `frameworks.md` about disabling Uvicorn's default Server header using the `--no-server-header` option or `server_header=False` in `uvicorn.run()`.
- Mentioned limitation when using Uvicorn via Gunicorn as described in the GitHub issue.
- Updated documentation to close GitHub issue #143.

Closes #143.
diff --git a/docs/frameworks.md b/docs/frameworks.md
@@ -25,6 +25,29 @@
 
 ---
 
+### Note: Overriding the `Server` Header in Uvicorn-based Frameworks
+
+If you're using Uvicorn as the ASGI server (commonly used with frameworks like FastAPI, Starlette, and others), Uvicorn automatically injects a `Server: uvicorn` header into all HTTP responses by default. This can lead to multiple `Server` headers when using `Secure.py` to set a custom `Server` header.
+
+To prevent Uvicorn from adding its default `Server` header, you can disable it by passing the `--no-server-header` option when running Uvicorn, or by setting `server_header=False` in the `uvicorn.run()` method:
+
+```python
+import uvicorn
+
+uvicorn.run(
+    app,
+    host="0.0.0.0",
+    port=8000,
+    server_header=False,  # Disable Uvicorn's default Server header
+)
+```
+
+If you're using Uvicorn via Gunicorn (e.g., with the `UvicornWorker`), note that this setting is not passed through automatically. In such cases, you may need to subclass the worker to fully override the `Server` header.
+
+For more information, refer to the [Uvicorn Settings](https://www.uvicorn.org/settings/#http).
+
+---
+
 ## aiohttp
 
 **[aiohttp](https://docs.aiohttp.org)** is an asynchronous HTTP client/server framework for asyncio and Python. It's designed for building efficient web applications with asynchronous capabilities.
diff --git a/docs/headers/server.md b/docs/headers/server.md
@@ -42,6 +42,10 @@ This can then be applied as part of your Secure headers configuration:
 secure_headers = Secure(server=server_header)
 ```
 
+### Special Considerations for Frameworks
+
+Some frameworks like Uvicorn automatically inject a `Server` header. If you're using Uvicorn and need to override or remove this header, refer to the [framework integration guide](../frameworks.md) for specific instructions on how to disable Uvicorn's default `Server` header.
+
 ## **Resources**
 
 - [MDN Web Docs: Server Header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Server)
