X-Powered-By header must be disabled

javascript.powered_by_header

Severity

low

Resource

Misconfiguration

Language

JavaScript

Description

Websites conventionally use the X-Powered-By header to indicate the technological stack in place, including the version of the webserver or framework used.

Rationale

Attackers can exploit known vulnerabilities in web frameworks if they see that the application is powered by the framework.

To avoid such fingerprinting, the X-Powered-By should be removed, or replaced by a neutral name that does not leak information about the underlying technical stack.

Removing the header will not provide much security benefit (remember: "security by obscurity is not security"), and fingerprinting can be carried by adversaries using other techniques, but might help a tiny bit. It improves performance marginally by reducing the number of bytes sent.

The following is an Express application that, by default, will generate the powered-by header:

const express = require('express');
const app = express();

// ... rest of the app, but not disabling the header ...

Remediation

Configure the web application to not disclose technical information via the X-Powered-By response header. This can be done at the web framework configuration or by the web server or any other component upwards.

For the previous example, Express provide a configuration flag (x-powered-by) that could be used to disable the generation of the header. Alternatively, a neutral information can be given in a middleware setting the header, or a package for configuring security headers such as helmet can be used:

const express = require('express');
const app = express();

// alternative #1
app.disable('x-powered-by'):

// alternative #2: middleware to remove the header
app.use(function (req, res, next) {
  res.removeHeader("x-powered-by");
  next();
});

// Alternative #3: using helmet
const helmet = require('helmet');
app.use( helmet() ); // header removed by default
app.use( helmet.xPoweredBy() ); // or by specific middleware

Read the documentation of the chosen web framework for details on how to disable the header.

Configuration

The rule has no configuration parameters.

References

CWE-200 : Exposure of Sensitive Information to an Unauthorized Actor.
OWASP - Top 10 2021 Category A05 : Security Misconfiguration.