HomeFix guides → X-Powered-By absent / generic

security

How to fix: X-Powered-By absent / generic

OWASP A05

Why this matters

X-Powered-By is the application-framework equivalent of the Server header: 'Express', 'PHP/7.4', 'ASP.NET'. It gives attackers a free pre-recon hint. Most frameworks let you turn it off in one config line.

Background

X-Powered-By and Server headers leak the framework + version you're running. That gives attackers a free CVE lookup → 'is this site running Express 4.16.2? Yes, here are the known CVEs.' Strip both.

References

OWASP A05 (Security Misconfiguration) · Server fingerprinting

How to fix

Code snippet for each stack we cover. Pick the one matching your server / framework.

nginx
server_tokens off; (in http {}). Also: proxy_hide_header X-Powered-By; for upstream Express/PHP.
apache
ServerTokens Prod
ServerSignature Off
cloudflare
Transform Rules → Modify Response Header → Remove X-Powered-By.
wordpress
Add to wp-config.php: define('WP_HEADERS_HIDE_VERSION', true); OR functions.php: remove_action('wp_head', 'wp_generator');
flask
app.config['ENV'] = 'production'; manually remove with after_request: resp.headers.pop('X-Powered-By', None)
express
app.disable('x-powered-by')
rails
Rails strips by default. Check Rack::Runtime + custom middleware.

Verify it's working

curl -sI https://your-site/ | grep -iE 'x-powered-by|server' — should show neither (or just 'Server: cloudflare').

Want to know if your site has this issue?

Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.

Audit my site →