4

I've gone through every question and blog I can find on the topic, but I can't get rid of x-powered-by: express.

Here's my app which has the sole function of not displaying the "x-powered-by: express" header, combining every bit of advice I've been able to find on how to do this. I've tried each one individually, but none have an effect:

"use strict";    
var express = require("express");
var app = express();
app.set("x-powered-by", "your mum");

const helmet = require("helmet");
app.use(helmet());

const killHeader = (req, res, next) => {
   res.removeHeader("X-Powered-By");
   next();
};

app.get("/", killHeader, (req, res) => {
   res.header("X-powered-by", "A sack of rats");
   res.removeHeader("X-Powered-By");
   res.send("Hello world without x-powered headers");
});

app.disable("x-powered-by");

   app.listen(3000, function () {
      console.log("Running");
   });

I feel like I must be missing a key bit of information as to where headers get generated and sent from, as no combination of the above strategies makes a differences when inspected in the network tab of Chrome. The environment is windows, run via VSCode, but I have the same problem on Ngix in Ubuntu.

Rusty
  • 609
  • 1
  • 4
  • 19
  • 1
    Have you tried `app.use((req, res, next) => {res.set("X-powered-by", "A sack of rats"); next();});` – Sagar V Apr 19 '21 at 17:19
  • This would also worked after I found the issue was down to Chrome caching the headers, see @drakmord2 answer – Rusty Apr 19 '21 at 17:46

1 Answers1

4

You must be getting a cached response from your browser. Try checking the disable cache option on Chrome Dev Tools or use an incognito tab. The Helmet middleware removes the X-powered-by header by default. The following code

   
const express = require("express");
const app = express();
const helmet = require("helmet");

app.use(helmet());

app.get("/", (req, res) => {
   res.send("Hello world without x-powered headers");
});

app.listen(3000, function () {
  console.log("Running");
});

Returns the following headers

HTTP/1.1 200 OK
X-DNS-Prefetch-Control: off
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Download-Options: noopen
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Type: text/html; charset=utf-8
Content-Length: 37
ETag: W/"25-CWR19lYRAgXhHOXfwllpUDHFWas"
Date: Mon, 19 Apr 2021 17:37:11 GMT
Connection: keep-alive

Tested with the following dependency versions

"dependencies": {
    "express": "4.16.4",
    "helmet": "3.21.2"
}
Drakmord2
  • 864
  • 6
  • 13
  • 1
    Thanks - I had just come to the same conclusion after noticing a header that had no way of being there with the code run. I didn't realise header caching was a thing, but that was the missing bit of knowledge. Turns out Firefox doesn't seem to cache it by default, unlike Chrome which does. – Rusty Apr 19 '21 at 17:45
  • Incidentally, opening a new incognito mode actually appears to retain the cache from the originally sent headers. I thought incognito windows were entirely sandboxed, but apparently not. – Rusty Apr 19 '21 at 17:49
  • I'm using Postman not a browser, and still can't get rid of the damn header. I wonder why TF people put useless headers in their frameworks activated by default – Miguel Jul 07 '23 at 00:29