X-Powered By Header
Why use this header at all?
This header informs the client (browser) what software "powers" a web server. This is usually used by the software companies to measure market share, so they have an incentive to maintain this header by lying about the security impacts (PHP in PHP.INI).
Consider the Impact of Compliance section below to see if this recommendation works for you.
Disable this header.
By following this recommendation, what risk is mitigated?
Disabling this header reduces the accuracy of fingerprinting your web server's software, and adds a layer of complexity to an attacker. This increases the chances that you will notice the attacks happening and the ability to react. Disabling also makes deteriming what CVEs apply considerably more difficult.
Impact of Compliance
By using this header, you may expect these changes in your site's functionality
There should be no impact to your site, servers, or third party consumers if you disable the header.
What you can do to get there
You may use web server configuration, or settings within your programming language to disable or supress this header.
What this header may look like when implemented securely
This header should be ABSENT
- Cache Control
- Cookie Flags: Secure
- Cookie Flags: HTTPOnly
- HTTP Strict Transport Security (HSTS)
- HTTP Public Key Pinning (HPKP)