Removing the x-powered-by header

[Gary Cox]

Having the x-powered-by header is a security issue.  I'm trying to remove it but have not been successful in doing so.  I added the following code in my config/local.js and reloaded the app.  The header was still present, how do you remove headers on the response?

express: {

    customMiddleware: function (app) {

        app.disable('x-powered-by');

        app.use(function headers(req, res, next) {

            res.removeHeader("X-Powered-By");

            next();

        });

    }

  }

[Chad McElligott]

The X-Powered-By header is added after all middleware have been processed on the request. If you want to change it, you'll need to alter sails core. The way express handles this is by conditionalizing it underneath an app setting: app.disable('x-powered-by')

[Edy]

instead of removing the header, you can modify it:

module.exports.express = {

middleware: {

poweredBy: function xPoweredBy (req, res, next) {

res.header('X-Powered-By', 'my fancy app');

next();

}

}

};

[Ambroise Dhenain]

Why is that a security issue?

--
Cordialement,

M. Ambroise Dhenain.

[Joe Polastre]

If you use nginx, you can also just remove it altogether (this is what
we are doing, since it is a security risk):

http://wiki.nginx.org/HttpProxyModule#proxy_hide_header

[Gary Cox]

@Ambroise - The security issue is having this header tell an attacker what you are using as your backend.  They can then pull the source down and find vulnerabilities easier.  We had our system pen tested and the testers told us we need to remove that header.

[Joe Polastre]

It opens your system up to *automated* attacks. By telling an
automated script the software and version that you're running, the
attacker can automatically attack any known vulnerabilities in that
version of software. It is a low risk security vulnerability, but a
vulnerability none-the-less. Plus, it serves no meaningful purpose to
the customer/user/application, so why even bother transmitting it?

[Ambroise Dhenain]

Okay, thanks. It's not a security issue by itself but lead to a security breach.

[Rob Wormald]

Why not change it to ASP.net? Should confuse the hell out of any automated attacks…

[Joe Polastre]

Or just invite more of them ;)

On Tue, Mar 25, 2014 at 1:09 PM, Rob Wormald <rob.w...@innitapps.com> wrote:
> Why not change it to ASP.net? Should confuse the hell out of any automated

> attacks...

[Edy]

i found out how you can remove the the x-powered-by header. you have to disable both the sails poweredBy middleware and the express header:

module.exports.express = {

middleware: {

poweredBy: false

},

customMiddleware: function (app) {

app.disable('x-powered-by');

}

};

Am Dienstag, 25. März 2014 14:08:13 UTC+1 schrieb Gary Cox:

[Ambroise Dhenain]

Don't you think that would be a good idea to do it by default? I mean in sails itself. Because from what I understand it just completely useless and nobody should use it.