Information Disclosure via X-Page-Speed Header
Description
The 'X-Page-Speed' header indicates that Google's PageSpeed optimization module is enabled, potentially revealing details about how resources are combined, compressed, or rewritten. Attackers can leverage this information to identify known PageSpeed issues or misconfigurations, potentially executing cache poisoning, stale content attacks, or manipulation of optimization parameters. By pinpointing that PageSpeed is in use, malicious actors may also craft exploits targeting particular modules or functionality linked to the version of PageSpeed installed. Ultimately, disclosing this header widens the application’s attack surface by offering more details about its optimization strategy and any associated weaknesses.
Remediation
Remove or mask the 'X-Page-Speed' header in production environments to prevent public disclosure of optimization module details. Configure the PageSpeed module or your server settings so that identifying headers are suppressed. Keep PageSpeed and all related components updated with the latest security patches. If using reverse proxies, CDNs, or load balancers, ensure that they do not re-inject or preserve the header. Consider deploying a Web Application Firewall (WAF) or intrusion detection system to detect malicious attempts targeting PageSpeed-specific logic. Regularly audit response headers to confirm that no unnecessary data about your optimization configurations is leaked.
References
https://developers.google.com/speed/pagespeed/modulehttps://owasp.org/www-community/attacks/Information_exposureSeverity
MEDIUMOwasp
Code: A05:2021
Category: Security Misconfiguration
Classification
5.4
5.4