Menu
disable method. app. disable('x-powered-by'); to disable the 'x-powered-by' option which removes the X-Powered-By response header in our Express app.
X-Powered-By is set by various servers to say what kind of server it is. Software installed on that server might override the server's default. There is an argument that giving this information to clients gives information that can only serve to help attackers (just a little bit: saves working out what kind of server).
We find the first item, this is the HTML, the basic structure of the website. In the right half of the Inspect pane, we select the headers tab and scroll down to find the “X-Powered-By” header.
In Express >= 3.0.0rc5:
app.disable('x-powered-by');
Here is a simple middleware that removes the header in earlier versions of Express:
app.use(function (req, res, next) {
res.removeHeader("x-powered-by");
next();
});
Just to piggy-back on rjack's answer, you could also (optionally) just change (set) the X-powered-by header to something much cooler/custom like this:
app.use(function (req, res, next) {
res.header("X-powered-by", "Blood, sweat, and tears")
next()
})
As of Express v3.0.0rc5, support for disabling the X-Powered-By header is built in:
var express = require('express');
var app = express();
app.disable('x-powered-by');
From the source (http://expressjs.com/en/api.html#app.set). In Express 4.X just set the app using the line below;
app.set('x-powered-by', false) // hide x-powered-by header!
Here's a handy middleware you can drop in to swap out X-Powered-By:
function customHeaders( req, res, next ){
// Switch off the default 'X-Powered-By: Express' header
app.disable( 'x-powered-by' );
// OR set your own header here
res.setHeader( 'X-Powered-By', 'Awesome App v0.0.1' );
// .. other headers here
next()
}
app.use( customHeaders );
// ... now your code goes here
Setting X-Powered by in this case would override the default 'Express', so you do not need to both disable AND set a new value.
None of the standard solutions worker for me either. After much searching I found out that we used a routes file where a new express instance was started, which was later added to the first by using app.use. Only for the routes in this new express instance the X-Powered-By header was present.
Simplistic view of issue:
const app = express();
app.disable("x-powered-by");
app.get("/ping", (req, res) => res.send("Pong")); // <-- no X-Powered-By header
const moreRoutes = express();
moreRoutes.get("/ping", (req, res) => res.send("Pong")); // <-- X-Powered-By header still present
app.use("/api/v2", moreRoutes);
Solution was simply to create a new express.Router instead of a whole instance.
const moreRoutes = express.Router();
For Hiding , X-Powered By you can use Node .js Library helmet.
The Link For that is helmet
var helmet = require('helmet');
app.use(helmet.hidePoweredBy());
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With