X-Generator

The HTTP X-Generator response header is an unofficial HTTP header identifying the content management system or site generator producing the page.

Note

The "X-" naming convention for HTTP headers, "X" referring to "experimental", has been deprecated and needs to be transitioned to the formal naming convention for HTTP headers.

Table of Contents

Usage

Drupal adds the X-Generator header to identify itself in HTTP responses. Other CMS platforms like WordPress and Joomla expose similar information through <meta name="generator"> HTML tags rather than an HTTP header. The header value includes the CMS name, version number, and sometimes a link to the project website. Drupal adds this header by default on all responses from Drupal 8 and later.

The header reveals the specific software and version running on the server. This information is similar to what the X-Powered-By header exposes for application frameworks and the Server header exposes for web server software. The Powered-By header carries similar technology disclosure information.

Removing the header is a common hardening step. In Drupal, the header is added by the ResponseGeneratorSubscriber event subscriber and is removed by overriding the subscriber or using a contributed module. Exposing the CMS version helps attackers identify known vulnerabilities in specific releases.

Values

CMS name and version string

The value contains the CMS name followed by its major version number. Some implementations include a URL pointing to the CMS project website. The format varies by CMS.

Common patterns:

  • Drupal 11 (https://www.drupal.org) for Drupal sites
  • Drupal 10 (https://www.drupal.org) for Drupal 10

Example

A Drupal 11 site includes the CMS name, major version, and a link to the Drupal project website. This is the default format Drupal uses for the header value.

X-Generator: Drupal 11 (https://www.drupal.org)

An older Drupal 10 installation returns the same format with a different version number. The URL remains the same across all Drupal versions.

X-Generator: Drupal 10 (https://www.drupal.org)

A Drupal 8 site still running in production. The header format has remained consistent across Drupal 8, 9, 10, and 11, making version identification straightforward.

X-Generator: Drupal 8 (https://www.drupal.org)

Takeaway

The X-Generator header identifies the CMS and version producing the response. Removing the header is a recommended hardening step to avoid exposing software version details to potential attackers.

See also

Last updated: March 6, 2026