Python
JavaScript
Java
Go
C#
Ansible
Apex
AWS CloudFormation Linter
C & C++
CSS
Dart
Dart Analyze
Docker
Elixir
Erlang
Groovy
Helm
Kotlin
KubeLinter
Lua
Objective-C
Perl
PHP
PowerShell
Ruby
Rust
Scala
Secrets
Shell
Slither
Solhint
SQL
Swift
Terraform
Test coverage
VB.NETDisable `X-POWERED-BY` HTTP headerJS-S1004
Major
Security a05, cwe-200, owasp-top-10, 2021
Disclosing technology fingerprints allows an attacker to gather information about the technologies used to develop the web application and to perform relevant security assessments more quickly (like the identification of known vulnerable components).
It's recommended to not disclose technologies used on a website, with X-POWERED-BY HTTP header. In addition, it's better to completely disable this HTTP header rather than setting it a random value.
Bad Practice
let express = require('express');
let app = express(); // Sensitive
app.get('/', function (req, res) {
res.send('hello')
});
Recommended
let express = require('express');
// Approach 1: Using express
let app1 = express();
app1.disable("x-powered-by");
// Approach 2: Using helmetjs and express
let helmet = require("helmet");
let app2 = express();
app2.use(helmet.hidePoweredBy());