security
How to fix: X-Powered-By absent / generic
OWASP A05
Why this matters
X-Powered-By is the application-framework equivalent of the Server header: 'Express', 'PHP/7.4', 'ASP.NET'. It gives attackers a free pre-recon hint. Most frameworks let you turn it off in one config line.
Background
X-Powered-By and Server headers leak the framework + version you're running. That gives attackers a free CVE lookup → 'is this site running Express 4.16.2? Yes, here are the known CVEs.' Strip both.
References
OWASP A05 (Security Misconfiguration) · Server fingerprinting
How to fix
Code snippet for each stack we cover. Pick the one matching your server / framework.
nginx
server_tokens off; (in http {}). Also: proxy_hide_header X-Powered-By; for upstream Express/PHP.
apache
ServerTokens Prod ServerSignature Off
cloudflare
Transform Rules → Modify Response Header → Remove X-Powered-By.
wordpress
Add to wp-config.php: define('WP_HEADERS_HIDE_VERSION', true); OR functions.php: remove_action('wp_head', 'wp_generator');
flask
app.config['ENV'] = 'production'; manually remove with after_request: resp.headers.pop('X-Powered-By', None)
express
app.disable('x-powered-by')
rails
Rails strips by default. Check Rack::Runtime + custom middleware.
Verify it's working
curl -sI https://your-site/ | grep -iE 'x-powered-by|server' — should show neither (or just 'Server: cloudflare').
Want to know if your site has this issue?
Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.
Audit my site →