X-Powered-By

The HTTP X-Powered-By response header is an unofficial HTTP header revealing the technology or framework running on the server.

Table of Contents

Usage

The X-Powered-By header is set automatically by many web frameworks and server platforms to advertise the software stack generating the response. Common values include PHP, Express, ASP.NET, Next.js, and Servlet. Some platforms include version numbers alongside the framework name.

This header provides no functional benefit to clients. The information is purely informational and has no effect on how browsers or HTTP clients process the response.

From a security perspective, the X-Powered-By header exposes server implementation details attackers use during reconnaissance. Knowing the exact framework and version running on a server allows targeted exploitation of known vulnerabilities. Security best practice is to remove or suppress this header in production environments. Most frameworks provide configuration options or middleware to strip the header from outgoing responses.

The Server header serves a similar purpose by identifying the web server software. Both headers are candidates for removal in hardened deployments.

The value is easily spoofed or overridden, so the header is not a reliable indicator of the actual technology stack. Some servers deliberately set misleading values as a defense-in-depth measure.

Note

The "X-" naming convention for HTTP headers, "X" referring to "experimental", has been deprecated and needs to be transitioned to the formal naming convention for HTTP headers.

Values

Framework or platform name

The value is a freeform string identifying the technology. No standard format exists. Values range from a bare framework name to a name with version number.

Example

A PHP application running on an Apache server includes the language and version in the header value.

X-Powered-By: PHP/8.2

An Express.js application sends a shorter value identifying only the framework name. Express includes this header by default unless disabled through configuration.

X-Powered-By: Express

An ASP.NET application includes the framework identifier without a version number.

X-Powered-By: ASP.NET

Takeaway

The X-Powered-By response header is an unofficial header disclosing server-side technology. Removing this header in production reduces the information available to attackers during reconnaissance, following the same principle as limiting the Server header.

See also

Last updated: March 4, 2026