javascript - Can't get rid of header X-Powered-By:Express - Stack Overflow

admin管理员组

文章数量:1128974

I am running a server on nodejs with express. I can't seem to get rid of the header:

X-Powered-By:Express

I was wondering if there is any way to get rid of this header or do I have to live with it?

I am running a server on nodejs with express. I can't seem to get rid of the header:

X-Powered-By:Express

I was wondering if there is any way to get rid of this header or do I have to live with it?

• javascript
• node.js
• express
• http-headers
• webserver

Share Improve this question Follow edited Feb 13, 2016 at 15:35 Seyed Ali Ghaffari 522 bronze badges asked May 3, 2011 at 8:53 tyronegcartertyronegcarter 3,95644 gold badges2222 silver badges2525 bronze badges 1

• @alessioalex this question has more views (for whatever reasons it is more popular), so let's make other duplicate of this instead. – Alexei Levenkov Commented Oct 4, 2014 at 6:29

Add a comment  | 

13 Answers 13

Sorted by: Reset to default 271

In Express >= 3.0.0rc5:

app.disable('x-powered-by');

Here is a simple middleware that removes the header in earlier versions of Express:

app.use(function (req, res, next) {
  res.removeHeader("x-powered-by");
  next();
});

Just to piggy-back on rjack's answer, you could also (optionally) just change (set) the X-powered-by header to something much cooler/custom like this:

app.use(function (req, res, next) {
  res.header("X-powered-by", "Blood, sweat, and tears")
  next()
})

In Express v3.0.0rc5 or higher, support for disabling the X-Powered-By header is built in:

const express = require('express');

const app = express();
app.disable('x-powered-by');

Express.js docs:

• Application Settings Table
• app.disable

From the source (http://expressjs.com/en/api.html#app.set). In Express 4.X just set the app using the line below;

app.set('x-powered-by', false) // hide x-powered-by header!

Here's a handy middleware you can drop in to swap out X-Powered-By:

function customHeaders( req, res, next ){
  // Switch off the default 'X-Powered-By: Express' header
  app.disable( 'x-powered-by' );

  // OR set your own header here
  res.setHeader( 'X-Powered-By', 'Awesome App v0.0.1' );

  // .. other headers here

  next()
}

app.use( customHeaders );

// ... now your code goes here

Setting X-Powered by in this case would override the default 'Express', so you do not need to both disable AND set a new value.

None of the standard solutions worker for me either. After much searching I found out that we used a routes file where a new express instance was started, which was later added to the first by using app.use. Only for the routes in this new express instance the X-Powered-By header was present.

Simplistic view of issue:

const app = express();
app.disable("x-powered-by");
app.get("/ping", (req, res) => res.send("Pong")); // <-- no X-Powered-By header

const moreRoutes = express();
moreRoutes.get("/ping", (req, res) => res.send("Pong")); // <-- X-Powered-By header still present

app.use("/api/v2", moreRoutes);

Solution was simply to create a new express.Router instead of a whole instance.

const moreRoutes = express.Router();

Sometimes answers at the top don't work. This is my case. I have Express 4.17.1 and no one answer doesn't work. So I invented my own solution:

let app = express();

app.use((req, res, next) => {
  const send = res.send;
  res.send = (data) => {
    res.removeHeader('X-Powered-By');
    return send.call(res, data);
  };

  next();
});

For Hiding X-Powered-By you can use helmet library:

var helmet = require('helmet');
app.use(helmet.hidePoweredBy());

Maybe this could be obvious to the more seasoned Express users, but only this worked for me:

app.configure(function() {
    app.use(function (req, res, next) {
        res.removeHeader("X-Powered-By");
        next();
    });
});

Note: Answers are scattered through the posts and this is meant to be a compilation, plus some additions of my own. They are all tested.

Note 2: Something important is missing: if you're checking headers in your frontend, using a development server, be Angular, React or webpack dev server, you will still see the header. This is because webpack-dev-server is indeed an Express server and what you're seeing are the headers presented from that application. Your backend won't send the header if using one of these options.

---

There are many ways to do this.

1. Disable "X-powered-by" with Express options by default.

import express from 'express'
const app = express()
app.disable('x-powered-by')
// app.use(...)

 
2) Use a middleware to remove it on each request:

• Removes X-powered-by key

import express from 'express'
const app = express()

app.use(function (req, res, next) {
  res.removeHeader("X-Powered-By");
  next();
});

• Change X-powered-by value to something else

import express from 'express'
const app = express()

app.use(function (req, res, next) {
  res.header("X-powered-by", "not-Express")
  next()
})

 
3) Use helmet to remove it, as well as configure 10 other HTTP recomended headers ("It's not a silver bullet, but it can help!")

• Default setting (applies all 11 HTTP headers)

import express from 'express'
import helmet from 'helmet'
const app = express()

app.use(helmet())

• Just remove X-powered-by

import express from 'express'
import helmet from 'helmet'
const app = express()

app.use(helmet.hidePoweredBy());

---

Related to "note 2":

If you're using webpack-dev-server for hot reload, you will still see this header. That is because it is using an express server, so the headers are coming from it, not from the backend Express you're configuring.

Even if didn't set up webpack-dev-server, some boilerplate tools used in major frontend frameworks (like crate-react-app) will still use webpack-dev-server under the hood.

For example, if you inspect start script in CRA (being called when "npm start" is executed):

Reading the code https://github.com/visionmedia/express/blob/master/lib/http.js#L72 makes me think that you will have to live with it since it doesn't seem to be conditional.

If you have an nginx/apache frontend you can still remove the header with it (with mod_headers for apache and headers-more for nginx)

removeHeader will work only in route middleware, coffeescript example

fix_headers =  (req, res, next) ->
    res.removeHeader 'X-Powered-By'
    next()

app.get '/posts', fix_headers, (req, res, next) ->
  ...

None of this worked for me, except this (you need to add another parameter):

app.use(helmet.hidePoweredBy({ setTo: 'guesswhat' }))

I'm using Express ^4.17

本文标签： javascriptCan39t get rid of header XPoweredByExpressStack Overflow