hide-powered-by

1.1.0 verified Sat Apr 25 auth: no javascript

Simple middleware to remove or spoof the X-Powered-By HTTP header. Version 1.1.0 is stable with minimal maintenance. Part of the Helmet.js security middleware family. Differentiates from alternatives by allowing custom header values to mislead attackers. Removing X-Powered-By only obfuscates the framework and is not a strong security measure.

Common errors

error Cannot find module 'hide-powered-by' ↓

cause Package not installed

fix

npm install hide-powered-by

error TypeError: hidePoweredBy is not a function ↓

cause Incorrect import: using named import instead of default

fix

Change import to import hidePoweredBy from 'hide-powered-by' or const hidePoweredBy = require('hide-powered-by')

error Property 'setTo' does not exist on type '{ setTo?: string | undefined; }' ↓

cause TypeScript type mismatch

fix

Use typed options: import type { HidePoweredByOptions } from 'hide-powered-by' and pass options as HidePoweredByOptions.

Warnings

gotcha Removing X-Powered-By is not a strong security measure; it only obfuscates the framework. ↓

fix Consider additional security headers like Helmet's other middleware.

gotcha If using Express, you can simply use app.disable('x-powered-by') instead of this middleware. ↓

fix Use app.disable('x-powered-by') for Express apps.

gotcha The middleware sets the header to '' (empty string) by default, which may still expose the header. ↓

fix If you want to remove the header entirely, ensure your framework supports removing headers.

Install

npm install hide-powered-by

yarn add hide-powered-by

pnpm add hide-powered-by

Imports

hidePoweredBy
wrong
```
const hidePoweredBy = require('hide-powered-by')
```
correct
```
import hidePoweredBy from 'hide-powered-by'
```
ESM import is preferred; CommonJS require also works in CJS environments.

hidePoweredBy

wrong

import { hidePoweredBy } from 'hide-powered-by'

correct

const hidePoweredBy = require('hide-powered-by')

The package exports a single default function, not a named export.

HidePoweredByOptions

wrong

import { HidePoweredByOptions } from 'hide-powered-by'

correct

import type { HidePoweredByOptions } from 'hide-powered-by'

This is a TypeScript type export; use import type or skip if not using TS.

Quickstart

Demonstrates how to use hide-powered-by middleware with Express to remove or spoof the X-Powered-By header.

import express from 'express';
import hidePoweredBy from 'hide-powered-by';

const app = express();

// Remove X-Powered-By header
app.use(hidePoweredBy());

// Or set to a custom value
app.use(hidePoweredBy({ setTo: 'PHP 4.2.0' }));

app.get('/', (req, res) => {
  res.send('Hello World!');
});

app.listen(3000, () => console.log('Server running on port 3000'));