Fix guide · low · x_powered_by_leak
X-Powered-By header reveals server framework
What this rule means
Your responses include an X-Powered-By header revealing the framework + version.
Why it matters
Useful for attacker fingerprinting. Knowing you run Express 4.17.1 lets them target known CVEs for that exact version.
How to fix it
Disable the header:
- Express:
app.disable('x-powered-by') - Hapi: it's off by default
- Next.js:
poweredByHeader: falsein next.config.js - Nginx: don't set it (it's not on by default)
- ASP.NET: in web.config,
<httpProtocol><customHeaders><remove name="X-Powered-By"/></customHeaders></httpProtocol>
Did vibecheck flag this on your app?
If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.
Run another inspection