How do we feel about X-Powered-By? about discussions HOT 7 CLOSED

Based on the discussion in the TC (#40 and recorded at https://www.youtube.com/watch?v=KhIxUWh9fCU), assuming that the default behavior is not changed, the next question is should we change the doc? Here is the section in question: http://expressjs.com/en/advanced/best-practice-security.html#at-a-minimum-disable-x-powered-by-header .

I don't think anyone would say that for security considerations you shouldn't disable the X-Powered-By header, but we also don't want to imply that disabling it will provide any additional real measure of security. In my opinion, rather than deleting that section altogether, it would be better to add a note that disabling the header doesn't provide any real protection--or keep someone from determining that you're using Express--but it may deter casual exploits.... or some such wording.

from discussions.

Hi @LinusU ,
personally i think that remove X-Powered-By from header should be a must in term of security. So In Express i propose to remove x-powered-by from the application settings. If someone want to set value for X-Powered-By header can do this through a middleware.

from discussions.

I agree with the comments that @dougwilson made. Unfortunately in my experience the security auditing environment that is currently out there uses that as a red herring to you making it easy to identify the underlying system. You see such a header with Nginx/Apache (and others as well) and as Doug mentioned identifying the server by the responses it has is fairly trivial as well.

At the end of the day, all that I had to do was add a setting to turn off the X-Powered-By header to appease the security scanners which I don't think is a big deal. At the end of the day we include in the docs how to turn this off and it is dead simple, I think enough has been done by he project for it.

Code to turn off the X-Powered-By header:

app.disable('x-powered-by');

from discussions.

Sending the server signature is like an invitation to have the popular and 0-day vulnerabilities tried on it for fun and/or profit. Not sending the 'X-Powered-By' alone can deter the casual drive-by hax0rs from poking at the server for teh lulz.

I hope it never happens, but if Express is ever known for a privilege escalation vulnerability, 'X-Powered-By: Express' will be one of the treasured signals for people who scan the whole Internet for vulnerable servers.

As a Express team member, I don't feel like taking away X-Powered-By, but as a security conscious developer, I recommend turning it off for serious projects.

from discussions.

At the end of the day as @dougwilson pointed out this still can be established in a few different ways so if someone was seriously gunning for your server having this on or off makes no difference.

But I agree with @hacksparrow also that turning it off for public facing small projects can stop "the casual drive-by hax0rs" who are literally only scanning for Powered-By's.

I vote to keep the X-Powered-By since it makes no difference if we completely delete the tag or not. Especially if this is the only way we give credit where credit is deserved. It is a one line switch to turn it off as @NickNaso pointed out.

If turning it off with one line of code is that serious of an issue, then this library might just not be for [you].

from discussions.

@crandmck That seems to me to be the sane thing to do.

from discussions.

Note was added to http://expressjs.com/en/advanced/best-practice-security.html#at-a-minimum-disable-x-powered-by-header so I think we can close this now.

from discussions.