Security improvement: don't reveal powered-by by madarche · Pull Request #2813 · expressjs/express (original) (raw)

Look, removing the header provides no security benefits. Removing the "frivolous" header only does that--removes a non-useful header. What is the point of the header you say? Well, it's to give credit to the hard-working people who have enabled you to write your code so fast, who you never even gave money to, as this is free, open source. This library is even MIT licensed, so please, feel free to fork it and provide your own copy that does not include the header if you wish.

A lot of people incorrectly assume that "if that header is not there, attackers won't know I'm running Express!". I was walked-though a commercial security product that does server identification by security engineering. This software includes specific detection for Express.js, even (being popular), and these are some of the rules it uses:

  1. Are there response headers all in lower-case? The more there are, the more points assigned as likely being Node.js server, which in turn counts towards Express.js.
  2. Some requests to random URLs are made looking for a 404. If the response body is in the format "Cannot GET {url}" then it gives a massive number of points towards it being Express.js. This is actually the main give away it uses to know you are an Express.js server.
  3. What does the ETag header look like if there is one? There are definitions for the different versions of the ETag header format for Express.js, so this header matching certain formats not only gives points towards being Express.js, but even hints at the version of Express.js you are using, since the format has changed over time (even the X-Powered-By header doesn't provide that level of detail, since it does not contain a version).

Even then, when using the server vulnerability attacking part of that software, it will simply try Express.js attacks against a server, regardless of if it even thinks the server is Express.js. This is because, since everything is configurable, there is no good way to truly know.

The X-Powered-By and Server headers are frivolous headers, I agree. Does removing them help with security? No, only increases obscurity, which is not a valid form of security by any means.

Just think of it this way: we give you Express.js for free and in return "trick" you into giving us credit for our hard work or you have to put 1 line of code in your application, which is already code and your developers should understand how to code when using Express.js.

There is no further discussion to be had on this topic.