Can't get rid of header X-Powered-By:Express
Javascriptnode.jsExpressHttp HeadersWebserverJavascript Problem Overview
I am running a server on nodejs with express. I can't seem to get rid of the header:
X-Powered-By:Express
I was wondering if there is any way to get rid of this header or do I have to live with it?
Javascript Solutions
Solution 1 - Javascript
In Express >= 3.0.0rc5:
app.disable('x-powered-by');
Here is a simple middleware that removes the header in earlier versions of Express:
app.use(function (req, res, next) {
res.removeHeader("x-powered-by");
next();
});
Solution 2 - Javascript
Just to piggy-back on rjack's answer, you could also (optionally) just change (set) the X-powered-by header to something much cooler/custom like this:
app.use(function (req, res, next) {
res.header("X-powered-by", "Blood, sweat, and tears")
next()
})
Solution 3 - Javascript
As of Express v3.0.0rc5, support for disabling the X-Powered-By
header is built in:
var express = require('express');
var app = express();
app.disable('x-powered-by');
Solution 4 - Javascript
From the source (http://expressjs.com/en/api.html#app.set). In Express 4.X just set the app using the line below;
app.set('x-powered-by', false) // hide x-powered-by header!
Solution 5 - Javascript
Here's a handy middleware you can drop in to swap out X-Powered-By:
function customHeaders( req, res, next ){
// Switch off the default 'X-Powered-By: Express' header
app.disable( 'x-powered-by' );
// OR set your own header here
res.setHeader( 'X-Powered-By', 'Awesome App v0.0.1' );
// .. other headers here
next()
}
app.use( customHeaders );
// ... now your code goes here
Setting X-Powered by in this case would override the default 'Express', so you do not need to both disable AND set a new value.
Solution 6 - Javascript
None of the standard solutions worker for me either. After much searching I found out that we used a routes file where a new express instance was started, which was later added to the first by using app.use. Only for the routes in this new express instance the X-Powered-By header was present.
Simplistic view of issue:
const app = express();
app.disable("x-powered-by");
app.get("/ping", (req, res) => res.send("Pong")); // <-- no X-Powered-By header
const moreRoutes = express();
moreRoutes.get("/ping", (req, res) => res.send("Pong")); // <-- X-Powered-By header still present
app.use("/api/v2", moreRoutes);
Solution was simply to create a new express.Router instead of a whole instance.
const moreRoutes = express.Router();
Solution 7 - Javascript
For Hiding , X-Powered By you can use Node .js Library helmet.
The Link For that is helmet
var helmet = require('helmet');
app.use(helmet.hidePoweredBy());
Solution 8 - Javascript
Sometimes answers at the top don't work. This is my case. I have Express 4.17.1 and no one answer doesn't work. So I invented my own solution:
let app = express();
app.use((req, res, next) => {
const send = res.send;
res.send = (data) => {
res.removeHeader('X-Powered-By');
return send.call(res, data);
};
next();
});
Solution 9 - Javascript
Maybe this could be obvious to the more seasoned Express users, but only this worked for me:
app.configure(function() {
app.use(function (req, res, next) {
res.removeHeader("X-Powered-By");
next();
});
});
Solution 10 - Javascript
Reading the code https://github.com/visionmedia/express/blob/master/lib/http.js#L72 makes me think that you will have to live with it since it doesn't seem to be conditional.
If you have an nginx/apache frontend you can still remove the header with it (with mod_headers for apache and headers-more for nginx)
Solution 11 - Javascript
Note: Answers are scattered through the posts and this is meant to be a compilation, plus some additions of my own. They are all tested.
Note 2: Something important is missing: if you're checking headers in your frontend, using a development server, be Angular, React or webpack dev server, you will still see the header. This is because webpack-dev-server is indeed an Express server and what you're seeing are the headers presented from that application. Your backend won't send the header if using one of these options.
There are many ways to do this.
- Disable
"X-powered-by"
with Express options by default.
import express from 'express'
const app = express()
app.disable('x-powered-by')
// app.use(...)
2) Use a middleware to remove it on each request:
- Removes
X-powered-by
key
import express from 'express'
const app = express()
app.use(function (req, res, next) {
res.removeHeader("X-Powered-By");
next();
});
- Change
X-powered-by
value to something else
import express from 'express'
const app = express()
app.use(function (req, res, next) {
res.header("X-powered-by", "not-Express")
next()
})
3) Use helmet to remove it, as well as configure 10 other HTTP recomended headers ("It's not a silver bullet, but it can help!")
- Default setting (applies all 11 HTTP headers)
import express from 'express'
import helmet from 'helmet'
const app = express()
app.use(helmet())
- Just remove
X-powered-by
import express from 'express'
import helmet from 'helmet'
const app = express()
app.use(helmet.hidePoweredBy());
Related to "note 2":
If you're using webpack-dev-server for hot reload, you will still see this header. That is because it is using an express server, so the headers are coming from it, not from the backend Express you're configuring.
Even if didn't set up webpack-dev-server, some boilerplate tools used in major frontend frameworks (like crate-react-app) will still use webpack-dev-server under the hood.
For example, if you inspect start
script in CRA (being called when "npm start" is executed):
Solution 12 - Javascript
removeHeader will work only in route middleware, coffeescript example
fix_headers = (req, res, next) ->
res.removeHeader 'X-Powered-By'
next()
app.get '/posts', fix_headers, (req, res, next) ->
...
Solution 13 - Javascript
None of this worked for me, except this (you need to add another parameter):
app.use(helmet.hidePoweredBy({ setTo: 'guesswhat' }))
I'm using Express ^4.17