### Update a Hero with `HeroUpdate` { #update-a-hero-with-heroupdate }

We can **update a hero**. For this we use an HTTP `PATCH` operation.

And in the code, we get a `dict` with all the data sent by the client, **only the data sent by the client**, excluding any values that would be there just for being the default values. To do it we use `exclude_unset=True`. This is the main trick. 🪄

* `www_redirect` - If set to True, requests to non-www versions of the allowed hosts will be redirected to their www counterparts. Defaults to `True`.

If an incoming request does not validate correctly then a `400` response will be sent.

## `GZipMiddleware` { #gzipmiddleware }

Handles GZip responses for any request that includes `"gzip"` in the `Accept-Encoding` header.

The middleware will handle both standard and streaming responses.

//	path: 'bucket/' or '/bucket/' => Heal bucket
//	path: 'bucket/object' => Heal object
type healTask struct {
	bucket    string
	object    string
	versionID string
	opts      madmin.HealOpts
	// Healing response will be sent here
	respCh chan healResult
}

// healResult represents a healing result with a possible error
type healResult struct {
	result madmin.HealResultItem
	err    error
}

        .receivedResponseAtMillis(receivedResponseMillis)
        .build()
    }

    companion object {
      /** Synthetic response header: the local time when the request was sent. */
      private val SENT_MILLIS = "${Platform.get().getPrefix()}-Sent-Millis"

      /** Synthetic response header: the local time when the response was received. */
      private val RECEIVED_MILLIS = "${Platform.get().getPrefix()}-Received-Millis"
    }

## Request and Response

MinIO will make a `POST` request with a JSON body to the given plugin URL. If the auth token parameter is set, it will be sent as an authorization header.

The JSON body structure can be seen from this sample:

<details><summary>Request Body Sample</summary>

```json
{
  "input": {
    "account": "minio",
    "groups": null,

      assertThat(expected.message)
        .isEqualTo("Client-sent frames must be masked.")
    }
  }

  @Test fun serverSentFramesMustNotBeMasked() {
    data.write("8180".decodeHex())
    assertFailsWith<ProtocolException> {
      clientReader.processNextFrame()
    }.also { expected ->
      assertThat(expected.message)
        .isEqualTo("Server-sent frames must not be masked.")
    }
  }

}

func getBucketTrafficSentBytes() MetricDescription {
	return MetricDescription{
		Namespace: bucketMetricNamespace,
		Subsystem: trafficSubsystem,
		Name:      sentBytes,
		Help:      "Total number of S3 bytes sent for this bucket",
		Type:      gaugeMetric,
	}
}

func getBucketUsageTotalBytesMD() MetricDescription {
	return MetricDescription{
		Namespace: bucketMetricNamespace,
		Subsystem: usageSubsystem,

  "full_name": "John Doe",
  "disabled": false
}
```

<img src="/img/tutorial/security/image09.png">

If you open the developer tools, you could see how the data sent only includes the token, the password is only sent in the first request to authenticate the user and get that access token, but not afterwards:

<img src="/img/tutorial/security/image10.png">

/// note

  }

  /**
   * We delay sending the last byte of the request body 1500 ms. The 1000 ms read timeout should
   * only elapse 1000 ms after the request body is sent.
   */
  @Test
  fun headersReadTimeoutDoesNotStartUntilLastRequestBodyByteFire() {
    enableProtocol(Protocol.HTTP_2)
    server.enqueue(
      MockResponse
        .Builder()

    which was incorrectly matching prefix based on resource
    prefixes instead of exact match.
```

- There is always a possibility of a fix that is new, it is advised that the developer must make sure that the fix is sent upstream, reviewed and merged to the master branch.

## Creating a hotfix branch