Back to list

RESTful API Discloses - "X-Powered-By" Fingerprinting Header

Description

The API sets the "X-Powered-By" header in its responses. This header discloses information about the technology of the server hosting the API. An attacker can use this data to identify known vulnerabilities in that specific technology, potentially leading to server compromise. Review the Additional Information section for details about how this violation was detected.

Remediation

Remove or mask the 'X-Powered-By' header from all API responses to avoid revealing technology details. Configure your server or framework to suppress identifying headers. If you use a reverse proxy, CDN, or load balancer, ensure it does not preserve or re-inject such headers. Keep the server software updated with the latest security patches, and perform regular audits of any libraries or plugins that might introduce additional exposures. Consider deploying a Web Application Firewall (WAF) or intrusion detection system to detect suspicious traffic targeting known weaknesses of the disclosed platform. Periodically verify response headers to confirm that no unnecessary information is leaked.

References

https://owasp.org/www-community/attacks/Information_exposurehttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers

Severity

LOW

Owasp

Code: A05:2021

Category: Security Misconfiguration

Classification

CWE-200
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

3.1

CVSS:4.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

3.1

Cookie Preferences

We use cookies to enhance your browsing experience and analyze our traffic.

Read ourPrivacy Policyfor more information