FlyingMillennial
commented
8 years ago Won't that get nuked every time we do an NPM INSTALL? Should we figure out a way to do it within our own codebase rather than an npm module?
Closed kwhinnery closed 8 years ago
FlyingMillennial
commented
8 years ago Won't that get nuked every time we do an NPM INSTALL? Should we figure out a way to do it within our own codebase rather than an npm module?
lucasxyang
commented
8 years ago Commenting out line 73 of /todomvc-plusplus/node_modules/express/lib/application.js will do the job
FlyingMillennial
commented
8 years ago I created a file in /src/server/controllers called headers.js:
function headers() {
return function(req, res, next) {
res.removeHeader("x-powered-by");
next();
};
}
module.exports = headers;...and added the following to webapp.js:
app.use(headers());
This defines our own middleware rather than editing one of our dependencies.
anthonybrown
commented
8 years ago app.use(function (req, res, next) { res.removeHeader("x-powered-by"); next(); });
By default, Express sends an X-Powered-By header that indicates that Express is the web server behind the request. Generally speaking, you don't want to allow evildoers to know specifically what technology is serving your page, to prevent targeted attacks.
Disable this response header by any means necessary. I think there's some middleware that does this? Maybe an Express configuration option?