Remove X-Powered-By WP Rocket / 3.8.6 + (Permanently)

[ghost]

Issue:

WP Rocket continues to add the "X-Powered-By" header to all websites.

Click below for details:

https://prnt.sc/10ekr4e https://prnt.sc/10ekua2

The added X-Powered-By header is unnecessary, poor advertising, compromises security, and does not respect the following htaccess rules to remove it:

Header always unset X-Powered-By
Header unset X-Powered-By

In addition, the following filter -- provided by WP Rocket customer support -- to remove it does not work:

add_filter('rocket_htaccess_files_match', '__return_false');

Bottom line:

Remove "X-Powered-By" PERMANENTLY. That is, remove the following htaccess file entry:

Header set X-Powered-By "WP Rocket / 3.8.6" (and all future revisions)

The above can be accomplished prior to WP Rocket's next plugin revision.

Quite sure we're not the only ones requesting this change.

Thank you.

[DahmaniAdame]

That particular header can be removed by adding the following code to your functions.php file:

add_filter( 'rocket_htaccess_files_match', 'wpr_edit_rules_to_cache_control' );
function wpr_edit_rules_to_cache_control( $rules ) {
    return str_replace( 'Header set X-Powered-By "WP Rocket/' . WP_ROCKET_VERSION . '"' . PHP_EOL, '', $rules );
}

Make sure to deactivate/activate WP Rocket in order for the exclusion to work.

[ghost]

@DahmaniAdame,

Thank you for the filter. We tested it and, so far, it's working.

Hopefully, as requested, the X-Powered-By WP Rocket header will be permanently removed.

Kindly leave this GitHub Issue open until a decision (including an explanation) has been provided.

Cheers!

[Tabrisrp]

@GeekPress What do you think about this?

[ghost]

@Tabrisrp (et al),

Appreciate your attention to this.

Ironically, WP Rocket blocked "X-Powered-By" on their own website.

Click below for details.

https://prnt.sc/10g6xyk

As requested by many customers, WP Rocket removed "X-Powered-By" a while ago. Unfortunately, it was snuck in. Why? Imagine if your competitors (e.g., Perfmatters, Autoptimize, SG Optimizer, etc.) did the same thing? Poor practice.

And for all practical purposes, the proper label for this issue should be "bug", not "feature request".

Thank you!

[GeekPress]

The added X-Powered-By header is unnecessary, compromises security, and does not respect the following htaccess rules to remove it:

It is unnecessary for you, but not for us!

This header has some utilities for support reasons, we won't delete it.

If you don't like that, we provided you a workaround to remove the header.

poor advertising,

If we need that to advertise our product, we have some problems;

compromises security

I can't disagree on this one. We will remove the version from the X-Powered-By.

Ironically, WP Rocket blocked "X-Powered-By" on their own website.

This is added only on Apache servers. On NGINX, we are using another header (X-Rocket-Nginx-Bypass) to know if WP Rocket is caching the website. And we are using NGINX on our own website.

As requested by many customers,

Even if I can totally understand your frustration, please don't consider your case like a general rule for our entire customer base. Most of our users aren't developers like you seem to be.

Imagine if your competitors (e.g., Perfmatters, Autoptimize, SG Optimizer, etc.) did the same thing? Poor practice.

You can't compare with Perfmatters and Autoptimize as they don't have a caching option.

Most caching plugins including SG Optimizer has a header to know if their caching system is working or not. If they don't use X-Powered-By, they use something like X-{Plugin-Name}-Cache with the value Miss or Hit.

So even if we decide to remove X-Powered-By, we will add another one like X-WP-ROCKET-Cache.

[ghost]

@GeekPress,

Thanks for your feedback. Much appreciated.

Based on your feedback, the best solution is to remove the "X-Powered-By" header completely and use instead "x-wp-rocket-cache" for both Apache and NGINX servers. Removing your plugin version number from "X-Powered-By" is not a solution.

Above solution provides a better indicator for determining if a website is being properly cached by your plugin.

Kindly leave this topic open until a permanent solution is implemented.

Again, thanks for your feedback. Great support, great plugin.

Cheers!

[GeekPress]

@Jetxpert Please explain why "X-Powered-By" shouldn't be used? Just telling us it's not the way to go doesn't help to understand your position.

[ghost]

@GeekPress,

Reasons provided above. Recap: (in no particular order)

(1) Unnecessary

You statement "This header has some utilities for support reasons, we won't delete it." makes no sense to us.

(2) Website security

You agree with this one, so go with it.

(3) Poor advertising

We can respectfully disagree on this one all day long.

(4) Code inconsistency

If your own website does not display "X-Powered-By", then your clients' websites shouldn't either. Use "x-rocket-apache-bypass" for Apache servers or use "x-wp-rocket-cache" for all servers (if doable).

(5) Code Does Not Respect Apache htaccess Rules

From what we can tell, your plugin's code does not respect the Apache htaccess rules "always unset" and "unset" for "X-Powered-By." Why? Recommend changing your code to allow the use of these rules for your plugin. Many prefer to use htaccess rules over a custom filter.

Hopefully, the above helps. If not, you will find many more reasons by clicking below.

https://www.fastly.com/blog/headers-we-dont-want https://www.zaproxy.org/docs/alerts/10037/ https://serverfault.com/questions/395332/whats-the-use-of-x-powered-by-server-and-other-similar-http-headers https://scotthelme.co.uk/hardening-your-http-response-headers/

Implementing the above solution will keep many developers and non-developers (unaware of your exposed vulnerability) happy.

You guys own the plugin and can do whatever you please, but looking at the big picture and ensuring your clients' websites remain safe is always the right thing to do.

Cheers!

[GeekPress]

makes no sense to us.

Sorry for the correction: makes no sense for you.

Please even if I understand this seems to be very important for you, don't consider your opinion for our entire users.

Implementing the above solution will keep many developers and non-developers (unaware of your exposed vulnerability) happy.

By removing the version from X-Powered-By, I don't see why it could still be a problem for security. Can you please elaborate more on why?

If we replace it with X-Rocket-Cache, then it will be still easy to know if the current website is using WP Rocket. This header, whatever the name, is mandatory to have.

[jmslbam]

If the version number can be removed, but the rest stays intact, that would be great 👍