kwhinnery/todomvc-plusplus

Don't send "Powered By Express" header with HTTP responses

kwhinnery opened this issue · 4 comments

By default, Express sends an X-Powered-By header that indicates that Express is the web server behind the request. Generally speaking, you don't want to allow evildoers to know specifically what technology is serving your page, to prevent targeted attacks.

Disable this response header by any means necessary. I think there's some middleware that does this? Maybe an Express configuration option?

Won't that get nuked every time we do an NPM INSTALL? Should we figure out a way to do it within our own codebase rather than an npm module?

Commenting out line 73 of /todomvc-plusplus/node_modules/express/lib/application.js will do the job

I created a file in /src/server/controllers called headers.js:

function headers() {
    return function(req, res, next) {
        res.removeHeader("x-powered-by");
        next();
    };
}
module.exports = headers;

...and added the following to webapp.js:

app.use(headers());

This defines our own middleware rather than editing one of our dependencies.

app.use(function (req, res, next) {
res.removeHeader("x-powered-by");
next();
});