F-2025-0015·information-disclosure

X-Powered-By: express header leaks technology stack

Fixedtypescriptwidgetrouter-api
TL;DR

The X-Powered-By: Express response header disclosed the underlying technology stack, lowering the cost of reconnaissance for an attacker mapping the surface.

Severity
LOW
Impact
LOW
Likelihood
LOW
Method
MManual review
CAT.
Complexity
LOW
Exploitability
LOW
02Section · Description

Description

The Router API emitted X-Powered-By: Express on responses, disclosing the underlying framework. While trivial on its own, removing such headers is standard hardening that reduces an attacker's reconnaissance surface.

03Section · Recommendation

Recommendation

Disable the X-Powered-By header (app.disable('x-powered-by') in Express). Audit other headers for similar disclosures.

Initia: Resolved. Pashov Audit Group: Resolved.

Status
Fixed
Fix commit
de9d3602dc1a
Fix date
2025-06-23
ZEALYNX SECURITY · published 2025-06-23
F-2025-0015