I have installed Wappalyzer add-on installed for Firefox browser. When I access my web application, it displays server-side technologies used. In this case it displays following information:
- Node.js (Programming language)
- Express (Web framework)
- Connect (Web framework)
I need to somehow hide these information from the browser/client for security purpose. So, could anyone shed some light on how I do this in node.js. Is there any configuration settings that I can change so that they won't send unnecessary information to the browser/client.
Update:
I used following code to prevent Express framework from sending 'x-powered-by' header:
app.disable('x-powered-by');
Even after this change, the server side stack information is being displayed.
Thanks.
I have installed Wappalyzer add-on installed for Firefox browser. When I access my web application, it displays server-side technologies used. In this case it displays following information:
- Node.js (Programming language)
- Express (Web framework)
- Connect (Web framework)
I need to somehow hide these information from the browser/client for security purpose. So, could anyone shed some light on how I do this in node.js. Is there any configuration settings that I can change so that they won't send unnecessary information to the browser/client.
Update:
I used following code to prevent Express framework from sending 'x-powered-by' header:
app.disable('x-powered-by');
Even after this change, the server side stack information is being displayed.
Thanks.
Share Improve this question edited Feb 25, 2014 at 19:21 sunilkumarba asked Feb 25, 2014 at 19:03 sunilkumarbasunilkumarba 8912 gold badges9 silver badges18 bronze badges 2- Could you print the header(s) you are plaining about? I am not sure which server side information specifically is exposed. – bodokaiser Commented Feb 26, 2014 at 8:19
- 2 The information exposed are the ones I've mentioned in the list above. The response header had x-powered-by set to Express; which, I thought was used by the Wappalyzer to determine the server side information (like, programming language used & node.js framework used). Now, even after removing the x-powered-by header, the Wappalyzer is able identify the server side stack. – sunilkumarba Commented Feb 26, 2014 at 8:44
3 Answers
Reset to default 9Finally its working. The app.disable('x-powered-by') did the trick. After clearing the cache Wappalyzer was not able to determine the server-side stack information.
For those with no custom server, add the following to next.config.js:
poweredByHeader: false
Apart from server side technology by PHP frameworks, change
expose_php = off
in your php.ini.