Skip to main content

HTTP Header: Hide Powered-By

The attack

By default Express will add an X-Powered-by: Express header in to your application and there are no plans to remove it

As an example you can see almost 1 million servers with the X-Powered-By: Express active in Shodan queries

The header

Even if this header does not represent a vulnerability still being very relevant to hardening our server

The code

Helmet will hide by default the x-powered-by.

const helmet = require('helmet')

app.use(helmet())

You can disable it using express without helmet

app.disable('x-powered-by')

Extra mile: throw an attacker off the scent

Why not using a different x-powered-by value:

const helmet = require('helmet')

app.use(helmet())
app.use(helmet.hidePoweredBy({ setTo: 'PHP 4.2.0' }))

Refs: