Menu
I couldn't find any way to disable Passenger's X-Powered-By header:
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.11
Is it possible to do that without modifying its sources and removing headers on the HTTP server level?
921
Open the site which you would like to open and then click on the HTTP Response Headers option. Click on the X-Powered-By header and then click Remove on the Actions Pane to remove it from the response.
In the right half of the Inspect pane, we select the headers tab and scroll down to find the “X-Powered-By” header.
The X-Powered-By header describes the technologies used by the webserver. This information exposes the server to attackers. Using the information in this header, attackers can find vulnerabilities easier.
Remove X-Powered-By via WP Adminify Login to your dashboard and install WP Adminify plugin first. Then navigate to WP Adminify > Tweaks > HTTP Response. Search for “Remove X-Powered-By from HTTP Headers” option and enable it.
On Apache you can unset headers:
# Hide/Remove the Passenger Headers
Header always unset "X-Powered-By"
Header always unset "X-Runtime"
It will not remove all names (since services such as Plesk will still append their name), but Passenger can be removed this way.
Kudos to John Trupiano: https://groups.google.com/forum/?fromgroups=#!topic/phusion-passenger/LKAKH0PEyW0
154
Short answer: YES.
update: 2018
Use proxy_hide_header if downstream, or use more_clear_headers
Original Answer
I leave the fact that I use nginx+passenger .. but you can completely remove them with
remove_header X-Header-Name-To-Remove;
So you can remove both by
server {
...
remove_header X-Powered-By;
remove_header X-Runtime;
...
}
This removes all the headers, it can also be in a location directive instead of server.
..
Here are my common directives, as I leave 'apache prod' equiv on mine.
server {
...
remove_header X-Runtime;
server_tokens off;
passenger_show_version_in_header off;
...
}
Provides a service header like..
Server:nginx + Phusion Passenger
X-Powered-By:Phusion Passenger
This is the closest equiv of apache2 ServerTokens Prod directive that I can do.
24
There is no configuration option in passenger to disable the X-Powered-by, so you need to do one of
#RequestHandler::process_request
headers_output = [
STATUS, status.to_i.to_s, CRLF,
X_POWERED_BY, @passenger_header, CRLF
]
#AbstractRequestHandler::initialize
@passenger_header = determine_passenger_header
#AbstractRequestHandler::determine_passenger_header
def determine_passenger_header
header = "Phusion Passenger (mod_rails/mod_rack)"
if @options["show_version_in_header"]
header << " #{VERSION_STRING}"
end
if File.exist?("#{SOURCE_ROOT}/enterprisey.txt") ||
File.exist?("/etc/passenger_enterprisey.txt")
header << ", Enterprise Edition"
end
return header
end
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
