X-Powered-By Hidden
Checks that X-Powered-By response header does not leak framework/tech stack.
What this check measures
We read the `X-Powered-By` header. "PHP/7.4.3" or "Express" reveals your stack and version to attackers, letting them target known CVEs precisely.
Why it matters
Version disclosure is soft hardening — combined with an unpatched CVE, attackers go straight to exploitation. Hiding it is free.
How our audit detects it
Read X-Powered-By response header. Flag if present with any value.
Typical findings
- error_outlineX-Powered-By: PHP/7.4.3
- error_outlineX-Powered-By: Express
- error_outlineX-Powered-By: Next.js
How to fix
Remove the header entirely in your framework config. Express: `app.disable("x-powered-by")`. Next.js: `poweredByHeader: false` in next.config.js.
Frequently asked questions
Does it help security meaningfully?expand_more
Want this checked on your site?
Pantra runs the full audit (SEO, Security, GEO, Performance, Schema, Technical, Images) in 10 seconds and generates stack-specific fix prompts.
Scan my siteRelated checks
HTTPS Enabled
Checks that the site serves over HTTPS and redirects HTTP to HTTPS.
SecurityTLS Version
Checks that the server uses TLS 1.2 or higher — older versions are broken.
SecurityMixed Content
Checks for HTTP resources loaded on HTTPS pages — browsers block or warn.
SecuritySSL Certificate
Checks that the SSL certificate is valid, not expired, and not expiring soon.