From b30bbb3b3537afd3da17fce08aec6b15a672e6ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Aur=C3=A8le=20DARCHE?= <ma.darche@cynode.org>
Date: Mon, 23 Nov 2015 17:13:10 +0100
Subject: [PATCH] Security improvement: don't reveal powered-by

The first thing recommended when setting up an Express instance is to
secure it by removing its "X-Powered-By" header.

https://www.npmjs.com/package/helmet
https://blog.risingstack.com/node-js-security-checklist/
https://strongloop.com/strongblog/best-practices-for-express-in-production-part-one-security/

So let's save cycles by not setting this header in the first place.

This header is also totally useless. If some people are needing it
somewhere for a very specific usecase they can add a little custom
middleware that returns the "X-Powered-By" header again.
---
 lib/application.js |  6 ------
 test/req.secure.js | 15 +++++++++++++++
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/lib/application.js b/lib/application.js
index bcc509459e..2d0a2067e6 100644
--- a/lib/application.js
+++ b/lib/application.js
@@ -85,7 +85,6 @@ app.defaultConfiguration = function defaultConfiguration() {
   var env = process.env.NODE_ENV || 'development';
 
   // default settings
-  this.enable('x-powered-by');
   this.set('etag', 'weak');
   this.set('env', env);
   this.set('query parser', 'extended');
@@ -150,11 +149,6 @@ app.handle = function handle(req, res, callback) {
     onerror: logerror.bind(this)
   });
 
-  // set powered by header
-  if (this.enabled('x-powered-by')) {
-    res.setHeader('X-Powered-By', 'Express');
-  }
-
   // set circular references
   req.res = res;
   res.req = req;
diff --git a/test/req.secure.js b/test/req.secure.js
index 2025c8786b..512329c552 100644
--- a/test/req.secure.js
+++ b/test/req.secure.js
@@ -3,6 +3,21 @@ var express = require('../')
   , request = require('supertest');
 
 describe('req', function(){
+  it('should not reveal powered-by', function(done){
+    var app = express();
+
+    app.get('/', function(req, res){
+      res.send('hello world');
+    });
+
+    request(app)
+    .get('/')
+    .expect(function (res) {
+      res.header.should.not.have.property('x-powered-by');
+    })
+    .expect(200, done)
+  })
+
   describe('.secure', function(){
     describe('when X-Forwarded-Proto is missing', function(){
       it('should return false when http', function(done){