KNOWN GitHub

Web Security 03 - X Powered By / Server

Published: Thu 14 February 2019
By: Brian Shen
Category: Security
Tags: Security Web XPoweredBy Web Security

All the sample code is in https://github.com/brianshen1990/WebSecurity .

1. What is X-Powered-By / Server

Many of us may not notice this http header until we use a security scan tool to scan our website. And we notice that those tools often suggest us to remove this kind of header, for 2 reasons:

  1. Make http header more slight
  2. Avoid potential vulnerability.

So let's have a look at this header.

node index.js

This header suggests that our backend is supported by Express.

Other sample:

Those can leak the backend server information. As we know, for Apache, IIS, there are some special security bugs. If a hacker knows which server a website is using and potential bugs of this kind of server, some attacks may be taken.

2. How to fix

How can we remove this kind of http header then?

Different backends have different configurations. Here we only cover our sample: Express.

In Express, we also use Helmet.

In indexSafe.js :

...
app.use(bodyParser.urlencoded({
  extended: true
}));
app.use(bodyParser.json());
app.use(helmet.referrerPolicy({ policy: 'same-origin' }));
app.disable('x-powered-by');
...

Now start again:

node indexSafe.js

There will be no server information any more.



Comments !

About the blog

Some notes at work and life to share

Brian Shen

Categories

  1. Tools 10
  2. Web 10
  3. Node 9
  4. Security 9
  5. Python 2
  6. Docker 1
  7. Linux 1

Tags

  1. Web 14
  2. Node 13
  3. Security 9
  4. Web Security 9
  5. Linux 7
  6. CentOS7 5
  7. CSS 3
  8. React 3
  9. Reflux 3
  10. Store 3