5

I've tried using this but it didn't work: app.disable("x-powered-by"); and I have read the post like this :

how to remove X-Powered-By in ExpressJS

Can't get rid of header X-Powered-By:Express

Iam using "express": "^4.16.4" as backend. in frontend iam using "react": "^16.7.0" Single Page App.

UPDATE

express.js in port 5000 react.js in port 3000

when i try to hit this URL http://localhost:5000/api/product x-powered-by :express is gone.

in my react app when i try to hit API http://localhost:5000/api/product it will showing again x-powered-by:express.

Every time using the API http://localhost:5000/api/product which means node.js/express server i got x-powered-by : express

Cant Disable X-powered-by express

but when i try to console.log(app); i got this :

          settings:
[0]       { 'x-powered-by': false,
[0]         etag: 'weak',
[0]         'etag fn': [Function: generateETag],
[0]         env: 'development',
[0]         'query parser': 'extended',
[0]         'query parser fn': [Function: parseExtendedQueryString],
[0]         'subdomain offset': 2,
[0]         'trust proxy': false,
[0]         'trust proxy fn': [Function: trustNone],
[0]         view: [Function: View],
[0]         views: 'D:\\WEBSITE\\hammerstout_nodejs_client\\views',
[0]         'jsonp callback name': 'callback' } },

'x-powered-by': false, should this work?

Code

import express from 'express';
import bodyParser from 'body-parser';
// import passport from 'passport';
import connection from './config/conn';
import { CategoryRoutes,ProductRoutes } from './modules';
import session  from 'express-session';
const app = express();
app.disable("x-powered-by");
console.log(app);
app.use(session({
    secret: 'keyboard cat',
    resave: false,
    saveUninitialized: true,
    cookie: { secure: true }
}))

app.use(bodyParser.urlencoded({ extended: false }));
app.use(bodyParser.json());
// app.use(passport.initialize());

app.use('/api/', [CategoryRoutes, ProductRoutes]);


const port = process.env.PORT || 5000;
app.listen(port, (err) => {
    if(err){
        console.log(err);
    }else{
        console.log(`Server running on port ! ${port}`);
    }

});
  • I was having the same issue on v4.16.*, but `app.disable("x-powered-by");` actually seems to work properly again in v4.17.1 now. – rvanlaarhoven Jun 07 '19 at 12:33
  • 2
    If you think you got it working, that's not because app.disable("x-powered-by"); is suddenly working in some version of Express. It' because you're looking at your app *without* the proxy. If you are using React for example and its proxy to pass API traffic, that proxy will add the header even if you've disabled it on your Express server. – Christiaan Westerbeek Jun 18 '19 at 07:04

2 Answers2

13

I have the same effect with my angular app. I'm using the angular proxy (which is the webpack-dev-server in the end) to access my server (avoiding CORS problems).

Responses do not contain the 'x-powered-by' header when I access the REST-API on my server (on port 3000) with postman or a browser. Accessing the same server with my angular app (on port 4200) using the proxy shows the header.

My findings are: the webpack-dev-server uses express as a basis; so I assume that the "erroneous" header stems from the proxy server not from your server on port 3000.

BerniP
  • 566
  • 4
  • 5
6

app.disable("x-powered-by"); is the correct way to disable the custom header in express 4.16.4 . Here's a working example with express 4.16.4 and node 10.14.2 :

const express = require('express');
const app = express();

app.disable("x-powered-by");
app.get('/', function(req, res) {
  res.status(200);
  res.send("hello\n\n");
  res.end();
});
app.listen(9876, function() {
  console.log('ready');
});

running this from the command line, then calling curl -i http://localhost:9876/ results in the following output:

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 7
ETag: W/"7-RYgBn9PSVn8wOBXbat/kibLuX5I"
Date: Mon, 07 Jan 2019 03:24:09 GMT
Connection: keep-alive

hello
Dan O
  • 6,022
  • 2
  • 32
  • 50