Menu
I have an Express server running on port 8080 using webpack. I installed helmet as described in the package docs
const express = require('express')
const helmet = require('helmet')
const app = express()
app.use(helmet())
Yet when I npm start I still see the x-powered-by:Express header in localhost and none of the dns-prefetch, xss or other headers that Helmet is supposed to enable. I restarted the server several times, deleted my build folder so it is not cached, and am lost as to why it's not working. Any thoughts or pointers will be greatly appreciated!
935
asked Oct 30 '25 06:10
You need to explicitly invoke the middleware like so.
const hidePoweredBy = require('hide-powered-by')
app.use(hidePoweredBy())
https://expressjs.com/en/advanced/best-practice-security.html
Can also try
app.disable('x-powered-by')
105
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
