Comments (7)
Based on the discussion in the TC (#40 and recorded at https://www.youtube.com/watch?v=KhIxUWh9fCU), assuming that the default behavior is not changed, the next question is should we change the doc? Here is the section in question: http://expressjs.com/en/advanced/best-practice-security.html#at-a-minimum-disable-x-powered-by-header .
I don't think anyone would say that for security considerations you shouldn't disable the X-Powered-By
header, but we also don't want to imply that disabling it will provide any additional real measure of security. In my opinion, rather than deleting that section altogether, it would be better to add a note that disabling the header doesn't provide any real protection--or keep someone from determining that you're using Express--but it may deter casual exploits.... or some such wording.
from discussions.
Hi @LinusU ,
personally i think that remove X-Powered-By
from header should be a must in term of security. So In Express i propose to remove x-powered-by from the application settings. If someone want to set value for X-Powered-By
header can do this through a middleware.
from discussions.
I agree with the comments that @dougwilson made. Unfortunately in my experience the security auditing environment that is currently out there uses that as a red herring to you making it easy to identify the underlying system. You see such a header with Nginx/Apache (and others as well) and as Doug mentioned identifying the server by the responses it has is fairly trivial as well.
At the end of the day, all that I had to do was add a setting to turn off the X-Powered-By
header to appease the security scanners which I don't think is a big deal. At the end of the day we include in the docs how to turn this off and it is dead simple, I think enough has been done by he project for it.
Code to turn off the X-Powered-By
header:
app.disable('x-powered-by');
from discussions.
Sending the server signature is like an invitation to have the popular and 0-day vulnerabilities tried on it for fun and/or profit. Not sending the 'X-Powered-By' alone can deter the casual drive-by hax0rs from poking at the server for teh lulz.
I hope it never happens, but if Express is ever known for a privilege escalation vulnerability, 'X-Powered-By: Express' will be one of the treasured signals for people who scan the whole Internet for vulnerable servers.
As a Express team member, I don't feel like taking away X-Powered-By
, but as a security conscious developer, I recommend turning it off for serious projects.
from discussions.
At the end of the day as @dougwilson pointed out this still can be established in a few different ways so if someone was seriously gunning for your server having this on or off makes no difference.
But I agree with @hacksparrow also that turning it off for public facing small projects can stop "the casual drive-by hax0rs" who are literally only scanning for Powered-By
's.
I vote to keep the X-Powered-By
since it makes no difference if we completely delete the tag or not. Especially if this is the only way we give credit where credit is deserved. It is a one line switch to turn it off as @NickNaso pointed out.
If turning it off with one line of code is that serious of an issue, then this library might just not be for [you].
from discussions.
@crandmck That seems to me to be the sane thing to do.
from discussions.
Note was added to http://expressjs.com/en/advanced/best-practice-security.html#at-a-minimum-disable-x-powered-by-header so I think we can close this now.
from discussions.
Related Issues (20)
- Express TC Meeting 05-06-2020 HOT 6
- Triage Meeting 05-07-2020 HOT 22
- v5 Changes Working Doc HOT 3
- Triage Meeting 05-21-2020 HOT 8
- Express TC Meeting 05-20-2020 HOT 13
- Using GitHub discussions HOT 5
- Express TC Meeting 06-10-2020 HOT 3
- Realtime communication channel HOT 11
- nomination for express committer HOT 3
- Create teams for committer management HOT 2
- Delete jshttp/compress repo HOT 1
- Clean up expressjs org HOT 21
- Express TC Meeting 07-08-2020 HOT 4
- express example programs in Node.js example HOT 1
- How to set error.name in extended class Error in Node.js? HOT 1
- Express Security Bugs reports HOT 7
- Use Github Discussions instead of a dedicated repository HOT 1
- Cross-site Request Forgery (CSRF) found in csurf package HOT 36
- CSURF deprecation HOT 5
- Is this discussions board still active or dead? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from discussions.