how to remove X-Powered-By in ExpressJS
77,503
Solution 1
The better way to do it is:
app.disable('x-powered-by');
You can also make a middleware to remove any header like so:
app.use(function (req, res, next) {
res.removeHeader("X-Powered-By");
next();
});
See more info on how to remove a header:
http://nodejs.org/api/http.html#http_response_removeheader_name
Solution 2
Don't remove it; ask Express not to generate it in the first place:
https://stackoverflow.com/a/12484642/506073
Go to your app.js
and just after:
var app = express();
Add:
app.disable('x-powered-by');
Solution 3
Middleware snippet from: Can't get rid of header X-Powered-By:Express
function customHeaders( req, res, next ){
// Switch off the default 'X-Powered-By: Express' header
app.disable( 'x-powered-by' );
// OR set your own header here
res.setHeader( 'X-Powered-By', 'Awesome App v0.0.1' );
// .. other headers here
next();
}
app.use( customHeaders );
// ... now your code goes here
Author by
MajidTaheri
Programming : Functional Programming Database: NewSQL(MySQL 5.7,SQL2016,...) Backend: Nodejs,Expressjs,DotNet,PHP Frontend:Reactjs.Nunjucks,Bootstrap,Hogan
Updated on July 15, 2022Comments
-
MajidTaheri almost 2 years
I want to remove X-Powered-By for Security,Save Bandwidth in ExpressJS(node.js). how to do it? it could be filter(app.use) ?
app.use(function(req,res,next_cb){ /* remove X-Powered-By header */ next_cb(); }
-
Lee Benson almost 11 yearsIMO, this should be the answer - middleware is a performance hit on every request, why not just prevent the header being spawned in the first place?
-
ptz0n about 10 yearsThis is not the desired/perfect/correct answer. See the one with the most upvotes. Cheers!
-
alessioalex about 10 yearsTrue, updated my answer to reflect that.
-
tim-montague almost 8 yearsOne could also use
app.set('x-powered-by', false);
-
neoDev over 7 yearsI just tested
app.disable('custom1');
And it worked fine (it removed the header from server response). But then I commented outapp.disable('custom1');
and the header appears again... Is this normal? I do no longer have theres.header("custom1", "test");
in my code as I do no longer want that header, but it still appears... -
neoDev over 7 yearsThis only removes temporarily custom headers once set, if I comment-out this line in my code the custom header reappears, so it is not deleted... and I need to delete it! I also tried
res.removeHeader("custom1");
but does't work... -
neoDev over 7 yearsI just tested
app.disable('custom1');
And it worked fine (it removed the header from server response). But then I commented outapp.disable('custom1');
and the header appears again... Is this normal? I do no longer have theres.header("custom1", "test");
in my code as I do no longer want that header, but it still appears... I also triedres.removeHeader("custom1");
but does't work... -
Kermit_ice_tea over 7 yearserr....it works...took it off on the client
-
Sebastien H. over 5 yearsbest practice is to disable it within express. see below answer
-
Stijn de Witt over 5 yearsIt's not working for me. The line
app.disable('x-powered-by');
seems to have no effect whatsoever... -
Jang-Ho Bae over 3 yearsI reckon that is because of the page you are working have a cache. I have same problem. So, After changed some code in router i am working, 'X-Powered-By' header was removed.
-
TmTron over 2 yearsWhen you test this, make sure, that you connect directly to your express application. i.e. I accidentally connected to the frontend-proxy which happend to also use express and has added the x-powered-by header again.