Web application frameworks and servers often disclose version information by default through HTTP headers.

Why is this an issue?

Version information disclosed by default through HTTP headers is often overlooked by developers, yet it can pose a security risk. Once this information is public, attackers can use it to identify potential vulnerabilities specific to that version. This rule raises an issue when version information is disclosed through HTTP headers such as x-powered-by or Server.

What is the potential impact?

If the disclosed version information indicates the use of outdated or unsupported software, it becomes easier for attackers to exploit known vulnerabilities. They can search for published vulnerabilities related to that version and launch targeted attacks.

How to fix it

In Express.js, version information is disclosed by default in the x-powered-by HTTP header. It should be disabled with app.disable or with helmet’s hidePoweredBy middleware.

Code examples

Noncompliant code example

let express = require('express');

let example = express(); // Noncompliant

example.get('/', function (req, res) {
  res.send('example')
});

Compliant solution

let express = require('express');

let example = express();
example.disable("x-powered-by");

Or with helmet:

let helmet = require("helmet");

let example = express();
example.use(helmet.hidePoweredBy());

Resources

Documentation

• OWASP Testing Guide - OTG-INFO-008 - Fingerprint Web Application Framework

Standards

• OWASP - Top 10 2021 Category A5 - Security Misconfiguration
• OWASP - Top 10 2017 Category A6 - Security Misconfiguration
• CWE - CWE-200 - Information Exposure