Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can't get rid of header X-Powered-By:Express

People also ask

How do I get rid of X-powered-by HTTP response header Express?

disable method. app. disable('x-powered-by'); to disable the 'x-powered-by' option which removes the X-Powered-By response header in our Express app.

What does X-powered-by Express mean?

X-Powered-By is set by various servers to say what kind of server it is. Software installed on that server might override the server's default. There is an argument that giving this information to clients gives information that can only serve to help attackers (just a little bit: saves working out what kind of server).

How do you know if X is powered by?

We find the first item, this is the HTML, the basic structure of the website. In the right half of the Inspect pane, we select the headers tab and scroll down to find the “X-Powered-By” header.


In Express >= 3.0.0rc5:

app.disable('x-powered-by');

Here is a simple middleware that removes the header in earlier versions of Express:

app.use(function (req, res, next) {
  res.removeHeader("x-powered-by");
  next();
});

Just to piggy-back on rjack's answer, you could also (optionally) just change (set) the X-powered-by header to something much cooler/custom like this:

app.use(function (req, res, next) {
  res.header("X-powered-by", "Blood, sweat, and tears")
  next()
})

As of Express v3.0.0rc5, support for disabling the X-Powered-By header is built in:

var express = require('express');

var app = express();
app.disable('x-powered-by');

From the source (http://expressjs.com/en/api.html#app.set). In Express 4.X just set the app using the line below;

app.set('x-powered-by', false) // hide x-powered-by header!

Here's a handy middleware you can drop in to swap out X-Powered-By:

function customHeaders( req, res, next ){
  // Switch off the default 'X-Powered-By: Express' header
  app.disable( 'x-powered-by' );

  // OR set your own header here
  res.setHeader( 'X-Powered-By', 'Awesome App v0.0.1' );

  // .. other headers here

  next()
}

app.use( customHeaders );

// ... now your code goes here

Setting X-Powered by in this case would override the default 'Express', so you do not need to both disable AND set a new value.


None of the standard solutions worker for me either. After much searching I found out that we used a routes file where a new express instance was started, which was later added to the first by using app.use. Only for the routes in this new express instance the X-Powered-By header was present.

Simplistic view of issue:

const app = express();
app.disable("x-powered-by");
app.get("/ping", (req, res) => res.send("Pong")); // <-- no X-Powered-By header

const moreRoutes = express();
moreRoutes.get("/ping", (req, res) => res.send("Pong")); // <-- X-Powered-By header still present

app.use("/api/v2", moreRoutes);

Solution was simply to create a new express.Router instead of a whole instance.

const moreRoutes = express.Router();

For Hiding , X-Powered By you can use Node .js Library helmet.

The Link For that is helmet

var helmet = require('helmet');
app.use(helmet.hidePoweredBy());