Can't get rid of header X-Powered-By:Express

Question

Can't get rid of header X-Powered-By:Express

I am running a server on nodejs with express. I can't seem to get rid of the header:

X-Powered-By:Express

I was wondering if there is any way to get rid of this header or do I have to live with it?

javascript
node.js
http-headers
express

Answer 1

In Express >= 3.0.0rc5:

app.disable('x-powered-by');

Here is a simple middleware that removes the header in earlier versions of Express:

app.use(function (req, res, next) {
  res.removeHeader("x-powered-by");
  next();
});

Answer 2

As of Express v3.0.0rc5, support for disabling the X-Powered-By header is built in:

var express = require('express');

var app = express();
app.disable('x-powered-by');

Answer 3

Just to piggy-back on rjack's answer, you could also (optionally) just change (set) the X-powered-by header to something much cooler/custom like this:

app.use(function (req, res, next) {
  res.header("X-powered-by", "Blood, sweat, and tears")
  next()
})

Answer 4

Here's a handy middleware you can drop in to swap out X-Powered-By:

function customHeaders( req, res, next ){
  // Switch off the default 'X-Powered-By: Express' header
  app.disable( 'x-powered-by' );

  // OR set your own header here
  res.setHeader( 'X-Powered-By', 'Awesome App v0.0.1' );

  // .. other headers here

  next()
}

app.use( customHeaders );

// ... now your code goes here

Setting X-Powered by in this case would override the default 'Express', so you do not need to both disable AND set a new value.

Answer 5

Maybe this could be obvious to the more seasoned Express users, but only this worked for me:

app.configure(function() {
    app.use(function (req, res, next) {
        res.removeHeader("X-Powered-By");
        next();
    });
});

Answer 6

Reading the code https://github.com/visionmedia/express/blob/master/lib/http.js#L72 makes me think that you will have to live with it since it doesn't seem to be conditional.

If you have an nginx/apache frontend you can still remove the header with it (with mod_headers for apache and headers-more for nginx)

Answer 7

removeHeader will work only in route middleware, coffeescript example

fix_headers =  (req, res, next) ->
    res.removeHeader 'X-Powered-By'
    next()

app.get '/posts', fix_headers, (req, res, next) ->
  ...

Answer 8

From the source (http://expressjs.com/api.html#app.set). In Express 4.X just set using the line below;

app.set('x-powered-by', false) // hide x-powered-by header!