The retrieval of technology fingerprints allows an attacker to gather information about the technologies used to develop the web application and to perform relevant security assessments more quickly (like the identification of known vulnerable components).
It's recommended to not disclose technologies used on a website, with x-powered-by HTTP header for example.
Express.js name is disclosed by default into the x-powered-by HTTP header:
let express = require('express');
let app = express(); // Noncompliant
app.get('/', function (req, res) {
res.send('hello')
});
x-powered-by HTTP header should be disabled in Express.js with
app.disable or with helmet hidePoweredBy middleware:
let express = require('express');
let app1 = express(); // Compliant
app1.disable("x-powered-by");
let helmet = require("helmet");
let app2 = express(); // Compliant
app2.use(helmet.hidePoweredBy());
* OWASP Testing Guide - OTG-INFO-008 - Fingerprint Web Application Framework
* OWASP Testing Guide - OTG-INFO-009 - Fingerprint Web Application
* OWASP Top 10 2017 Category A6 - Security Misconfiguration
* MITRE, CWE-200 - Information Exposure