I couldn't find any way to disable Passenger's <code>X-Powered-By</code> header: <pre class="prettyprint"><code>X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.11 </code></pre> Is it possible to do that without modifying its sources and removing headers on the HTTP server level?

Short answer: YES. update: 2018 Use <code>proxy_hide_header</code> if downstream, or use <code>more_clear_headers</code> <hr> Original Answer I leave the fact that I use nginx+passenger .. but you can completely remove them with <pre class="prettyprint"><code>remove_header X-Header-Name-To-Remove; </code></pre> So you can remove both by <pre class="prettyprint"><code>server { ... remove_header X-Powered-By; remove_header X-Runtime; ... } </code></pre> This removes all the headers, it can also be in a location directive instead of server. .. Here are my common directives, as I leave 'apache prod' equiv on mine. <pre class="prettyprint"><code>server { ... remove_header X-Runtime; server_tokens off; passenger_show_version_in_header off; ... } </code></pre> Provides a service header like.. <pre class="prettyprint"><code>Server:nginx + Phusion Passenger X-Powered-By:Phusion Passenger </code></pre> This is the closest equiv of apache2 ServerTokens Prod directive that I can do.

standard way to disable X-powered-by header in Passenger?

Tags:

http-headers

ruby

passenger

I couldn't find any way to disable Passenger's X-Powered-By header:

X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.11

Is it possible to do that without modifying its sources and removing headers on the HTTP server level?

921

asked Nov 28 '11 15:11

Oleg Mikheev

3 Answers

On Apache you can unset headers:

# Hide/Remove the Passenger Headers
Header always unset "X-Powered-By"
Header always unset "X-Runtime"

It will not remove all names (since services such as Plesk will still append their name), but Passenger can be removed this way.

Kudos to John Trupiano: https://groups.google.com/forum/?fromgroups=#!topic/phusion-passenger/LKAKH0PEyW0

154

answered Sep 28 '22 21:09

Robert

Short answer: YES.

update: 2018

Use proxy_hide_header if downstream, or use more_clear_headers

Original Answer

I leave the fact that I use nginx+passenger .. but you can completely remove them with

remove_header X-Header-Name-To-Remove;

So you can remove both by

server {
    ...
    remove_header X-Powered-By;
    remove_header X-Runtime;
    ...
    }

This removes all the headers, it can also be in a location directive instead of server.

Here are my common directives, as I leave 'apache prod' equiv on mine.

server {
    ...
    remove_header X-Runtime;
    server_tokens off;
    passenger_show_version_in_header off;
    ...
}

Provides a service header like..

Server:nginx + Phusion Passenger
X-Powered-By:Phusion Passenger

This is the closest equiv of apache2 ServerTokens Prod directive that I can do.

answered Sep 28 '22 22:09

shadowbq

Short answer: no.

There is no configuration option in passenger to disable the X-Powered-by, so you need to do one of

filter
edit source
monkeypatch

passenger code:

  #RequestHandler::process_request
  headers_output = [
    STATUS, status.to_i.to_s, CRLF,
    X_POWERED_BY, @passenger_header, CRLF
  ]

  #AbstractRequestHandler::initialize
  @passenger_header   = determine_passenger_header

  #AbstractRequestHandler::determine_passenger_header
  def determine_passenger_header
    header = "Phusion Passenger (mod_rails/mod_rack)"
    if @options["show_version_in_header"]
      header << " #{VERSION_STRING}"
    end
    if File.exist?("#{SOURCE_ROOT}/enterprisey.txt") ||
       File.exist?("/etc/passenger_enterprisey.txt")
      header << ", Enterprise Edition"
    end
    return header
  end