Web Security 03 — X Powered By / Server
1. Intro
Many of us may not notice this http header until we use a security tool to scan our websites. Those tools often suggest us to remove this kind of header, for 2 reasons:
- Make http header slighter
- Avoid potential vulnerability.
So let’s have a look at this header in our prepare session blog system.
npm start
This header suggests that our backend is supported by Express.
Other samples:
Those headers can leak the backend server information. As we know, for Apache, IIS, there are some special security bugs. If a hacker knows which server a website is using and potential bugs of this kind of server, attacks may be taken.
- Web Security 01 — Prepare
- Web Security 02 — Referrer
- Web Security 03 — X Powered By / Server
- Web Security 05 — X-Frame-Options
- Web Security 06 — CSP (Content Security Policy)
- Web Security 07 — XSS Protection
- Web Security 08 — Sniff
- Web Security 10 — CSRF
- Web Security 11 — CORS
- Web Security 12 — SQL Injection
2. How to fix
How can we remove this kind of http header then? Different backends have different configurations. Here we only cover our demo blog system: Express. In Express, we can disable it.
Now start again:
npm run-script startSafe
There will be no server information any more.
What is this place? Nanjing International Youth Culture Park, Nanjing, Jiangsu, China
