Exposure · Check
X-Powered-By disclosed — removing framework fingerprints
The `X-Powered-By` header advertises the framework or runtime serving the response (Express, ASP.NET, PHP). It exists for debugging and provides no value to clients in production — but it narrows attacker exploit research to your exact stack.
Why it matters
Disabling is a one-line change in most frameworks (`app.disable('x-powered-by')` in Express, `enableVersionHeader="false"` in ASP.NET) or `proxy_hide_header X-Powered-By;` at a reverse proxy.
Real-world risk
Framework and runtime disclosure narrows exploit research to your exact stack.
Fix steps (in order)
- Disable X-Powered-By in the framework (Express: app.disable('x-powered-by'); ASP.NET: <httpRuntime enableVersionHeader="false" />).
- Remove at reverse proxy: proxy_hide_header X-Powered-By;
Verify the fix in 30 seconds
Run a Scorifya scan on the affected host after deploy. The same finding id (x_powered_by) clears once the externally-observable signal is in place.