What does "x-powered by" mean?

Question

I'm just curious to know what "x-powered by" means when we try to find the Web Server Information about some website.

What I'm trying:

Actually I'm trying to find out what technologies different websites are using. But the confusion is created when "Web Server Information" for one particular website is showing x-powered-by: ZendServer 8.5.0,ASP.NET which is showing ZendServer that is for php and ASP.NET that is opposite(technology) to php. The bad question that comes in my mind after seeing this information of x-powered-by is "Are they using both at a time?"

score 66 · Accepted Answer · edited Jul 20 '21 at 22:05

66

"X-Powered-By" is a common non-standard HTTP response header (most headers prefixed with an 'X-' are non-standard). It's often included by default in responses constructed via a particular scripting technology.

It's important to note that it can be disabled and/or manipulated by the server. Some servers chose not to include it or even to provide misleading information to throw off hackers that might target a particular technology/version.

If I wanted to send out that response header in a PHP script it's as simple as including the following code:

header('x-powered-by: ZendServer 8.5.0,ASP.NET');

It cannot necessarily be trusted. The server in question could very well be using some combination of technologies you mentioned, or perhaps neither. It can be a helpful start, but there is no way to definitively tell what scripting software is being used on a server simply from an HTTP response.

edited Jul 20 '21 at 22:05

b3nThomas

47
6

answered Nov 07 '15 at 08:30

rawb

2,296
18
9

15

I can't think of a good reason why you would want to advertise anything about the technology that runs your server. What benefit could it have? – dmo Oct 30 '19 at 21:52
2

We include the similar information in different format to identify who is responding. Helps with debugging in case something goes wrong. – Ashwani Agarwal Sep 08 '20 at 06:01
It could be helpful internally. – masonCherry Aug 21 '23 at 09:10

score 17 · Answer 2 · answered Nov 07 '15 at 08:19

It – like all headers – is sent by the server (including any web application running on that server). Or it could be set by an intermediate proxy.

X-Powered-By is set by various servers to say what kind of server it is.

Software installed on that server might override the server's default.

There is an argument that giving this information to clients gives information that can only serve to help attackers (just a little bit: saves working out what kind of server).

Summary: set by server, at best informational, at worst could make attacks a tiny bit easier.

score 7 · Answer 3 · edited May 23 '17 at 12:34

7

Which tool are you using to find out the technology behind a website. The website could be powered by several technologies at once. Here is a link to help you with it.

edited May 23 '17 at 12:34

Community

1
1

answered Nov 07 '15 at 08:27

If you find it helpful, please upvote and select it as the right answer. Thanks. – Nov 07 '15 at 08:39
1

Sorry actually my question was about "what is meant by x-powered-by?" so it would be bad if I mark your answer as the right answer but it was helpful because I knew more about IIS. – Ali Mohyudin Nov 07 '15 at 08:42

What does "x-powered by" mean?

3 Answers3