What is a X-Powered-By header?

 

An X-Powered-By header is a type of HTTP response in the header field (most headers prefixed with an ‘X-‘ are non-standard) that informs the user which technology stack or framework is running on the web server. For example, if a web server is running Node.js, the header would be “X-Powered-By:Express”, which indicates an Express framework is being used. 

 

Why does X-Powered-By header exist?

 

The purpose of X-Powered-By header is to identify the underlying technology used by the server, such as specifying which version of PHP, ASP.NET, Node.js or a specific web application framework.

 

These headers are useful for debugging and development providing information on server configurations allowing developers to quickly identify the environment. Additionally they are also used by brands to market their specific framework or software being used. 

 

The importance of disabling X-Powered-By header

 

By exposing a web server's underlying technology, it is also leaking  this information to  would-be attackers. This header can give potential attackers additional information about a web server, making it easier for them to find and focus their efforts on exploiting known vulnerabilities of the technology being used.

 

The vulnerability where the server exposes information through “X-Powered-By” header can be fixed by removing or modifying the “X-Powered-By” HTTP response header. Once the header is removed, an attacker can no longer tailor their attacks to specific technology. This makes it harder for them to identify potential weaknesses, decreasing attack surfaces and enhancing a website’s security

 

The vulnerability arises when the web or application server includes “X-Powered-By” HTTP response headers in its responses. These headers often reveal details about the server software or underlying frameworks used by the application. Attackers can exploit this information to identify potential weaknesses in these components and carry out targeted attacks.

 

How to ensure X-Powered-By is removed

 

To ensure the header is removed do the following:

Enter the following command in AppCmd.exe to configure:

 

%systemroot%\system32\inetsrv\appcmd.exe set config –

section:system.webServer/httpProtocol /-“customHeaders.[name=’X-Powered-By’]”

/commit:apphost

 

OR

 

Enter the following command in PowerShell to configure:

 

Remove-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter

“system.webserver/httpProtocol/customHeaders” -name “.” -AtElement @{name=’XPowered-By’}

 

Recommended setting 


Remove the X-Powered-by header 

 

Best practices

 

It is recommended to remorse or modify this header setting to avoid revealing unnecessary information. This helps reduce the attack surfaces,  preventing the exposure of software versions and configurations, thereby enhancing the overall security posture of the server.

 

Another way to protect a server is through server hardening, safeguarding a system against potential security threats and vulnerabilities. This proactively protects sensitive data and resources and ensures compliance with security standards and regulations. Together this ultimately contributes to the reliability and resilience of a company’s infrastructure.

You might be interested