Plug guide bug? "Head plug converts HEAD requests to GET requests and strips the response body"

Hi All.

Is the Plug Guide right when it says that the Head plug

converts HEAD requests to GET requests and strips the response body

Looking at Plug.Head module the call method just looks like:

  def call(%Conn{method: "HEAD"} = conn, []), do: %{conn | method: "GET"}
  def call(conn, []), do: conn

Which I read as convert any “HEAD” method to “GET” otherwise pass the request unchanged.

So, maybe it doesn’t strip the response body? But then I started wondering how would you strip the response body (or do anything at all with the response). Isn’t the controller the last plug that gets executed in the pipeline in a default generated Phoenix app? Am I misunderstanding how plugs are called or work?

It’s not really enough in most cases to just have the application not send a body to a HEAD response. RFC9110§9.3.2 (and other parts of the spec) say that a HEAD response should ideally look exactly like the equivalent GET in every way except for the lack of response body. Specifically, headers such as content-length, etags, and others should be the same. In order for Bandit to know what content-length to send, it needs to have the application try and send the response body; it’s Bandit’s responsibility to elide the body if necessary.

You can see this in action here.

1 Like

You’re right, that plug does not strip the response body, doc bug.

And yes - the controller is the last plug by default. You can add other plugs in your Endpoint after the Router if you want, but they can’t affect the response because the render call both creates the response body AND sends it via the http adapter.


Thanks for the replies! That’s making more sense to me.

I’ve created a PR to update the docs.