default User-Agent header to map to spring.application.name

[ckoutsouridis]

Whether using RestTemplate or WebClientBuilder, would it make sense to use as default User-Agent header the value of spring.application.name?

At the moment i am using a "custom" RestTemplateCustomizer that is injecting this header. for RestTemplate and defaultHeaders method for WebClientBuilder, but i think it makes sense for the User-Agent to be set to spring.application.name by default.

[knoobie]

That sounds more like a feature, you don't want to have enabled as default. (Information disclosure)

[ckoutsouridis]

i can understand the information disclosure argument, but it's not that it's empty currently. Depending on the actual http client used, it can be either the JRE version or something like "apache-http-components" which in my opinion is worse than the application name.

If not by default, It would be nice to be able to set/enable via a property.

[wilkinsona]

Thanks for the suggestion.

I don't think we should set the User-Agent header in HTTP requests to the value of spring.application.name by default. While information disclosure is less of a concern for a client, I don't think there's really any good default for User-Agent. For example, GitHub encourages you to use your GitHub user id or name of the application as registered with GitHub so that they have a means of contacting you should they identify a problem. Neither of those is likely to have the same value as spring.application.name.

I'm less sure about providing a property to enable the behaviour. However, I'm leaning towards it not being worth it as I doubt it would be all that widely used. Furthermore, WebClient already provides a nice API for setting default headers via its Builder and its defaultHeader or defaultHeaders. Things aren't quite so straightforward with RestTemplate. That could perhaps by tackled via our RestTemplateBuilder if we thought it would be of sufficient value.

Let's see what the rest of the team thinks.

[snicoll]

WebClient.Builder has a defaultHeader method and adding a similar feature to RestTemplateBuilder could be interesting indeed. I don't think we should have a property for this either.

[philwebb]

After some discussion we feel like using spring.application.name or offering a dedicated property isn't the right approach. Instead, we've opened #17072 to look at adding convenience to RestTemplateBuilder.