X-Powered-By

Server technology fingerprinting is a common reconnaissance step for attackers, and the X-Powered-By unofficial response header makes that easier by revealing the framework or platform running on the server.

Table of Contents

Usage

The X-Powered-By header is set automatically by many web frameworks and server platforms to advertise the software stack generating the response. Common values include PHP, Express, ASP.NET, Next.js, and Servlet. Some platforms include version numbers alongside the framework name.

This header provides no functional benefit to clients. The information is purely informational and has no effect on how browsers or HTTP clients process the response.

From a security perspective, the X-Powered-By header exposes server implementation details attackers use during reconnaissance. Knowing the exact framework and version running on a server allows targeted exploitation of known vulnerabilities. Security best practice is to remove or suppress this header in production environments. Most frameworks provide configuration options or middleware to strip the header from outgoing responses.

The Server header serves a similar purpose by identifying the web server software. Both headers are candidates for removal in hardened deployments.

The value is easily spoofed or overridden, so the header is not a reliable indicator of the actual technology stack. Some servers deliberately set misleading values as a defense-in-depth measure.

Note

The "X-" naming convention for HTTP headers, "X" referring to "experimental", has been deprecated and needs to be transitioned to the formal naming convention for HTTP headers.

Values

Framework or platform name

The value is a freeform string identifying the technology. No standard format exists. Values range from a bare framework name to a name with version number.

Example

A PHP application running on an Apache server includes the language and version in the header value.

X-Powered-By: PHP/8.2

An Express.js application sends a shorter value identifying only the framework name. Express includes this header by default unless disabled through configuration.

X-Powered-By: Express

An ASP.NET application includes the framework identifier without a version number.

X-Powered-By: ASP.NET

Removal

Removing X-Powered-By in production reduces information exposure without affecting functionality.

Express.js:

app.disable('x-powered-by')

Or use the helmet middleware, which disables X-Powered-By by default.

PHP (php.ini):

expose_php = Off

ASP.NET (web.config):

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <remove name="X-Powered-By" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

nginx (strip from upstream):

proxy_hide_header X-Powered-By;

Apache:

Header unset X-Powered-By

See also

Last updated: April 4, 2026