Table Of Contents
Problem
Your Express.js application exposes the "X-Powered-By: Express" header in responses, revealing server technology to potential attackers and failing security scans.
Solution
const express = require('express');
const app = express();
// Method 1: Disable X-Powered-By header
app.disable('x-powered-by');
// Your routes
app.get('/', (req, res) => {
res.send('Hello World');
});
app.get('/api/users', (req, res) => {
res.json({ users: ['John', 'Jane'] });
});
app.listen(3000, () => {
console.log('Server running on port 3000');
});
Alternative method using Helmet.js (recommended for production):
const express = require('express');
const helmet = require('helmet');
const app = express();
// Helmet automatically disables X-Powered-By and adds security headers
app.use(helmet());
app.get('/', (req, res) => {
res.send('Hello World');
});
app.listen(3000, () => {
console.log('Server running on port 3000');
});
Install Helmet for comprehensive security:
npm install helmet
Explanation
app.disable('x-powered-by') removes the default Express header that reveals your server technology. This prevents attackers from easily identifying your tech stack for targeted attacks.
Helmet.js is the recommended approach as it not only disables X-Powered-By but also adds multiple security headers like X-Content-Type-Options, X-Frame-Options, and Strict-Transport-Security for comprehensive protection.
Share this article
Add Comment
No comments yet. Be the first to comment!