Java Servlet 3.0 spec advises to expose X-Powered-by. Isn't this a security bad practice?

Peter Perháč picture Peter Perháč · Dec 13, 2013 · Viewed 7.2k times · Source

Reading the Servlet 3.0 spec, I came across the following and wonder if that's really the recommended thing to do. I remember coming across advice to NOT include this info for security reasons:

It is recommended that containers use the X-Powered-By HTTP header to publish its implementation information. The field value should consist of one or more implementation types, such as "Servlet/3.0". Optionally, the supplementary information of the container and the underlying Java platform can be added after the implementation type within parentheses. The container should be configurable to suppress this header. Here's the examples of this header:

X-Powered-By: Servlet/3.0 JSP/2.2 (GlassFish v3 JRE/1.6.0)

For example, here, it's argued against this practice. I once used a tool to analyze my website for potential problems and it came back with a security warning and a recommendation to remove the X-Powered-By headers.

Answer

Glad-he-ate-her picture Glad-he-ate-her · Nov 15, 2016

Security through obscurity is a 'Layer' of security. As it pertains to this situation, it is better to hide that header rather than leave it exposed. There are automated tools, scanners, bots etc that will look for certain server response headers. If the right conditions are met, the tool/bot will often perform additional functions including sending exploits to the host. By simply hiding headers, you may just prevent those and other types of attacks. Granted, a vulnerable application is still a vulnerable application. Anyway... point being, it is advised to remove those headers. Security has to be implemented in layers and preventing the footprinting of your application's underlying framework is the first of many steps to protect it.