Disclosing technology fingerprints allows an attacker to gather information about the technologies used to develop the web application and to perform relevant security assessments more quickly (like the identification of known vulnerable components).

Ask Yourself Whether

There is a risk if you answered yes to any of these questions.

Recommended Secure Coding Practices

It's recommended to not disclose technologies used on a website, with x-powered-by HTTP header for example.

In addition, it's better to completely disable this HTTP header rather than setting it a random value.

Sensitive Code Example

Express.js name is disclosed by default into the x-powered-by HTTP header:

let express = require('express');
let app = express(); // Sensitive

app.get('/', function (req, res) {
  res.send('hello')
});

Compliant Solution

x-powered-by HTTP header should be disabled in Express.js with app.disable or with helmet hidePoweredBy middleware:

let express = require('express');

let app1 = express();  // Compliant
app1.disable("x-powered-by");

let helmet = require("helmet");
let app2 = express(); // Compliant
app2.use(helmet.hidePoweredBy());

See