Categories

How To Remove Unwanted HTTP Response Headers

Posted on: December 31, 2017 by Dimitar Ivanov

Introduction

Each request for a web page or resource (Image, Javascript, Stylesheet, Font) gets in the server response not only the actual content but also a bunch of headers. In this article, you will learn how to remove an HTTP header from the server response.

Terminology

Header
A piece of information sent with the request and response for each resource that helps to client and server to communicate with each other.
Response
A message plus headers sent by the server in response to a request for a resource.
Response Header
A header sent in a response to a request for a resource that contains information about the location of the resource, server name, scripting language, its version, access control, etc.

Why you might want to remove an HTTP response header?

The unnecessary headers mean a bigger size of the response which may increase the page loading time. Even the header's size is relatively small it's a waste of bandwidth to send useless headers along each server response. In addition, some headers may expose information like your server platform and software, that later could be used by someone to attack the server throughout well-know vulnerabilities on that particular system.

How to remove an HTTP response header

To overcome the security risk and the performance issue you must remove useless HTTP headers from the server response. The next examples cover various popular web servers and scripting languages.

PHP

To remove previously set headers in PHP use the header_remove() function. This function is available since PHP 5.3.0

<?php
header_remove("X-Powered-By"); 
?>

Apache

To remove a response header in Apache use the Header directive along the unset argument. The Header directive could be used in server config (e.g. httpd.conf), virtual host, or site specific .htaccess.

Header unset X-Powered-By

Nginx

To remove an HTTP response header in Nginx use one of next directives: proxy_set_header, proxy_hide_header, more_clear_headers.

proxy_set_header X-Powered-By "";
# or
proxy_hide_header X-Powered-By;
# or
more_clear_headers Server;

Microsoft IIS

To remove unwanted response headers in Microsoft IIS 7.0 to 8.5 use the Dionach StripHeaders native-code module. The default configuration is shown below:

<configuration>
  <system.webServer>
    <stripHeaders>
      <header name="Server" />
      <header name="X-Powered-By" />
      <header name="X-Aspnet-Version" />
    </stripHeaders>
  </system.webServer>
</configuration>

Node.js

To remove a response header in Node.js use the removeHeader() function. This function was added in v0.4.0

response.removeHeader('Content-Encoding');

Express.js

To remove previously set headers in Express.js use the removeHeader() function.

app.use(function (req, res, next) {
  res.header('Pragma', 'no-cache');
  res.removeHeader('Pragma');
  next();
});
Conclusion

Removing an HTTP response header could possible help in few directions: to lower down the security risk of exposing sensitive information, and to speed-up your app/page loading time and besides this that is a positive signal for Google.

See also
Share this post

Know alternative ways to remove an HTTP header? Tell me about and post a comment. At last, use the buttons below to share this article with your friends using your favorite social media. Thanks so much for reading!


0 Comments

Leave a comment

Captcha