Hide Powered-By

Written by Ulises Gascón

Apr 08, 20201 min read

The attack

By default Express will add an X-Powered-by: Express header in to your application and there are no plans to remove it

As an example you can see almost 1 million servers with the X-Powered-By: Express active in Shodan queries

The header

Even if this header does not represent a vulnerability still being very relevant to hardening our server

The code

Helmet will hide by default the x-powered-by.

const helmet = require('helmet')


You can disable it using express without helmet


Extra mile: throw an attacker off the scent

Why not using a different x-powered-by value:

const helmet = require('helmet')

app.use(helmet.hidePoweredBy({ setTo: 'PHP 4.2.0' }))