X-Powered By Header
Purpose
Why use this header at all?
This header informs the client (browser) what software "powers" a web server. This is usually used by the software companies to measure market share, so they have an incentive to maintain this header by lying about the security impacts (PHP in PHP.INI).
Recommendation
Consider the Impact of Compliance section below to see if this recommendation works for you.
Disable this header.
Risk Mitigated
By following this recommendation, what risk is mitigated?
Disabling this header reduces the accuracy of fingerprinting your web server's software, and adds a layer of complexity to an attacker. This increases the chances that you will notice the attacks happening and the ability to react. Disabling also makes deteriming what CVEs apply considerably more difficult.
Impact of Compliance
By using this header, you may expect these changes in your site's functionality
There should be no impact to your site, servers, or third party consumers if you disable the header.
Next Steps
What you can do to get there
You may use web server configuration, or settings within your programming language to disable or supress this header.
Example
What this header may look like when implemented securely
X-Powered-By: PHP/5.1.6
This header should be ABSENT
Read More!
Welcome! The library is new, and has some content to read over -- We'll be adding more soon!
- Cache Control
- Cookie Flags: Secure
- Cookie Flags: HTTPOnly
- HTTP Strict Transport Security (HSTS)
- HTTP Public Key Pinning (HPKP)
- Pragma
- Server
- X-Frame-Options
- X-Powered-By
- X-XSS-Protection