176

I want to remove X-Powered-By for Security,Save Bandwidth in ExpressJS(node.js). how to do it? it could be filter(app.use) ?

app.use(function(req,res,next_cb){ /* remove X-Powered-By header */ next_cb(); }
MajidTaheri
  • 3,813
  • 6
  • 28
  • 46

3 Answers3

368

Don't remove it; ask Express not to generate it in the first place:

https://stackoverflow.com/a/12484642/506073

Go to your app.js and just after: 

var app = express();

Add:

app.disable('x-powered-by');
Community
  • 1
  • 1
ahcox
  • 9,349
  • 5
  • 33
  • 38
  • 25
    IMO, this should be the answer - middleware is a performance hit on every request, why not just prevent the header being spawned in the first place? – Lee Benson Jul 21 '13 at 08:27
  • 4
    One could also use `app.set('x-powered-by', false);` – tim-montague Jun 02 '16 at 13:51
  • This only removes temporarily custom headers once set, if I comment-out this line in my code the custom header reappears, so it is not deleted... and I need to delete it! I also tried `res.removeHeader("custom1");` but does't work... – neoDev Sep 14 '16 at 05:09
  • 2
    err....it works...took it off on the client – Kermit_ice_tea Oct 14 '16 at 20:59
  • 17
    It's not working for me. The line `app.disable('x-powered-by');` seems to have no effect whatsoever... – Stijn de Witt Oct 22 '18 at 15:13
  • I reckon that is because of the page you are working have a cache. I have same problem. So, After changed some code in router i am working, 'X-Powered-By' header was removed. – Jang-Ho Bae Sep 18 '20 at 15:28
  • When you test this, make sure, that you connect directly to your express application. i.e. I accidentally connected to the frontend-proxy which happend to also use express and has added the x-powered-by header again. – TmTron Dec 16 '21 at 15:59
243

The better way to do it is:

app.disable('x-powered-by');

You can also make a middleware to remove any header like so:

app.use(function (req, res, next) {
  res.removeHeader("X-Powered-By");
  next();
});

See more info on how to remove a header:

http://nodejs.org/api/http.html#http_response_removeheader_name

Travis
  • 12,001
  • 8
  • 39
  • 52
alessioalex
  • 62,577
  • 16
  • 155
  • 122
  • 8
    This is not the desired/perfect/correct answer. See the one with the most upvotes. Cheers! – ptz0n Feb 12 '14 at 12:40
  • 1
    True, updated my answer to reflect that. – alessioalex Feb 12 '14 at 16:49
  • I just tested `app.disable('custom1');` And it worked fine (it removed the header from server response). But then I commented out `app.disable('custom1');` and the header appears again... Is this normal? I do no longer have the `res.header("custom1", "test");` in my code as I do no longer want that header, but it still appears... – neoDev Sep 14 '16 at 04:56
  • I just tested `app.disable('custom1');` And it worked fine (it removed the header from server response). But then I commented out `app.disable('custom1');` and the header appears again... Is this normal? I do no longer have the `res.header("custom1", "test");` in my code as I do no longer want that header, but it still appears... I also tried `res.removeHeader("custom1");` but does't work... – neoDev Sep 14 '16 at 05:09
  • best practice is to disable it within express. see below answer – Sebastien H. Sep 11 '18 at 11:08
9

Middleware snippet from: Can't get rid of header X-Powered-By:Express

function customHeaders( req, res, next ){
  // Switch off the default 'X-Powered-By: Express' header
  app.disable( 'x-powered-by' );

  // OR set your own header here
  res.setHeader( 'X-Powered-By', 'Awesome App v0.0.1' );

  // .. other headers here

  next();
}

app.use( customHeaders );

// ... now your code goes here
Community
  • 1
  • 1
papercowboy
  • 3,369
  • 2
  • 28
  • 32