Remove X-Powered-By for Express and NodeJS

When responding to a web request it’s common for servers to tell the client various bits of information. The one they enjoy most is some promotion around the name and version “powering” the site. Sadly, hackers also love this as it gives them more information for an attack vector.

By default, ExpressJS with NodeJS will return a X-Powered-By header.

$ curl -I 0.0.0.0:3000/
HTTP/1.1 302 Moved Temporarily
X-Powered-By: Express

I wasn’t overly impressed by this but it’s easy to remove. In your application configuration, at the top, add a new middleware function which removes the header.

  app.configure(function(){
      app.use(function (req, res, next) {
        res.removeHeader(“X-Powered-By”);
        next();
      }); 


      app.set(‘views’, __dirname + ‘/views’);
      app.set(‘view engine’, ‘jade’);
      app.use(express.bodyParser());
      app.use(express.methodOverride());
      app.use(express.cookieParser());
      app.use(express.static(__dirname + ‘/static’));
  });

Simple.