X-Powered By Header

Purpose

Why use this header at all?

This header informs the client (browser) what software "powers" a web server. This is usually used by the software companies to measure market share, so they have an incentive to maintain this header by lying about the security impacts (PHP in PHP.INI).

Recommendation

Consider the Impact of Compliance section below to see if this recommendation works for you.

Disable this header.

Risk Mitigated

By following this recommendation, what risk is mitigated?

Disabling this header reduces the accuracy of fingerprinting your web server's software, and adds a layer of complexity to an attacker. This increases the chances that you will notice the attacks happening and the ability to react. Disabling also makes deteriming what CVEs apply considerably more difficult.

Impact of Compliance

By using this header, you may expect these changes in your site's functionality

There should be no impact to your site, servers, or third party consumers if you disable the header.

Next Steps

What you can do to get there

You may use web server configuration, or settings within your programming language to disable or supress this header.

Example

What this header may look like when implemented securely

X-Powered-By: PHP/5.1.6

This header should be ABSENT


Read More!

Welcome! The library is new, and has some content to read over -- We'll be adding more soon!