
HEADER
To overcome the security risk and the performance issue you must remove useless HTTP headers from the server response. The next examples cover various popular web servers and scripting languages.
- PHP
- Apache
- Nginx
- IIS
- Node.js
- Express.js
PHP
To remove previously set headers in PHP use the header_remove()
function. This function is available since PHP 5.3.0
header_remove("X-Powered-By");
APACHE
To remove a response header in Apache use the Header
directive along the unset
argument. The Header directive could be used in server config (e.g. httpd.conf
), virtual host, or site specific .htaccess
.
Header unset X-Powered-By
NGINX
To remove an HTTP response header in Nginx use one of next directives: proxy_set_header
, proxy_hide_header
, more_clear_headers
.
proxy_set_header X-Powered-By "";
# or
proxy_hide_header X-Powered-By;
# or
more_clear_headers Server;
MICROSOFT IIS
To remove unwanted response headers in Microsoft IIS 7.0 to 8.5 use the Dionach StripHeaders native-code module. The default configuration is shown below:
<configuration>
<system.webServer>
<stripHeaders>
<header name="Server" />
<header name="X-Powered-By" />
<header name="X-Aspnet-Version" />
</stripHeaders>
</system.webServer>
</configuration>
NODE.JS
To remove a response header in Node.js use the removeHeader()
function. This function was added in v0.4.0
response.removeHeader('Content-Encoding');
EXPRESS.JS
To remove previously set headers in Express.js use the removeHeader()
function.
app.use(function (req, res, next) {
res.header('Pragma', 'no-cache');
res.removeHeader('Pragma');
next();
});
CONCLUSION
Removing an HTTP response header could possible help in few directions: to lower down the security risk of exposing sensitive information, and to speed-up your app/page loading time and besides this that is a positive signal for Google.
Source: zinoui / Tjd Studio
- Last updated 5 years ago
Be the first to leave a comment.
You must login to leave a comment