Removing X-Powered-By

How to remove x-powered-by header in .net core 2.0

• In addition to @Brando Zhang answer, To remove "Server:Kestrel" from response header:

-.NET Core 1

 var host = new WebHostBuilder()
        .UseKestrel(c => c.AddServerHeader = false)
        .UseContentRoot(Directory.GetCurrentDirectory())
        .UseIISIntegration()
        .UseStartup<Startup>()
        .Build();

-NET Core 2

WebHost.CreateDefaultBuilder(args)
               .UseKestrel(c => c.AddServerHeader = false)
               .UseStartup<Startup>()
               .Build();

Can't remove x-powered-by header in Node Express

You must be getting a cached response from your browser. Try checking the disable cache option on Chrome Dev Tools or use an incognito tab. The Helmet middleware removes the X-powered-by header by default. The following code

   
const express = require("express");
const app = express();
const helmet = require("helmet");

app.use(helmet());

app.get("/", (req, res) => {
   res.send("Hello world without x-powered headers");
});

app.listen(3000, function () {
  console.log("Running");
});

Returns the following headers

HTTP/1.1 200 OK
X-DNS-Prefetch-Control: off
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Download-Options: noopen
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Type: text/html; charset=utf-8
Content-Length: 37
ETag: W/"25-CWR19lYRAgXhHOXfwllpUDHFWas"
Date: Mon, 19 Apr 2021 17:37:11 GMT
Connection: keep-alive

Tested with the following dependency versions

"dependencies": {
    "express": "4.16.4",
    "helmet": "3.21.2"
}

How to remove X-Powered-By from header?

In WebLogic Administration Console, click on the domainName -> Configuration tab -> Web Application sub tab. Set "X-Powered-By Header" to "X-Powered-By Header will not be sent".

As per you below method is not working for you
To stop the X-Powered-By JSF http header related to a custom application, the following context parameter can be added to the applications web.xml:

 <context-param>
 <param-name>com.sun.faces.sendPoweredByHeader</param-name>
 <param-value>false</param-value>
 </context-param>

As per "Can X-Powered-By Setting Be Done in weblogic.xml or web.xml? (Doc ID 1505570.1)"
1) XPoweredBy is set at domain's WebAppContainerMBean

http://docs.oracle.com/cd/E14571_01/apirefs.1111/e13945/weblogic/management/configuration/WebAppContainerMBean.html#setXPoweredByHeaderLevel(java.lang.String)

setXPoweredByHeaderLevel

void setXPoweredByHeaderLevel(String xPoweredByHeaderLevel)
Sets the level for XPoweredBy header information

Parameters:
xPoweredByHeaderLevel -
See Also:
WebAppContainerMBean.getXPoweredByHeaderLevel()
Valid Values:
"NONE","SHORT","MEDIUM","FULL"

2) There is no equivalent setting in weblogic.xml and web.xml

http://docs.oracle.com/cd/E21764_01/web.1111/e13712/weblogic_xml.htm
http://docs.oracle.com/cd/E21764_01/web.1111/e13712/web_xml.htm

In short, this is a domain level setting, thus cannot be set at application level through weblogic.xml or web.xml.

In IIS, can I safely remove the X-Powered-By ASP.NET header?

This header (and a few other headers) is not required or used by modern browsers and can safely be removed from the web site configuration in IIS without consequence. Other server-side languages also tend to include a "Powered by..." header that can be safely removed. Here is another article that claims the same thing:

https://web.archive.org/web/20210506093425/http://www.4guysfromrolla.com/articles/120209-1.aspx

[...]

The Server, X-Powered-By,
X-AspNet-Version, and
X-AspNetMvc-Version HTTP headers
provide no direct benefit and
unnecessarily chew up a small amount
of bandwidth. Fortunately, these
response headers can be removed with
some configuration changes.

---

Related Topics