Disclosing technology fingerprints allows an attacker to gather information about the technologies used to develop the web application and to perform relevant security assessments more quickly (like the identification of known vulnerable components).
x-powered-by HTTP header or similar is used by the application. There is a risk if you answered yes to any of these questions.
It's recommended to not disclose technologies used on a website, with x-powered-by HTTP header for example.
In addition, it's better to completely disable this HTTP header rather than setting it a random value.
Express.js name is disclosed by default into the x-powered-by HTTP header:
let express = require('express');
let app = express(); // Sensitive
app.get('/', function (req, res) {
res.send('hello')
});
x-powered-by HTTP header should be disabled in Express.js with
app.disable or with helmet hidePoweredBy middleware:
let express = require('express');
let app1 = express(); // Compliant
app1.disable("x-powered-by");
let helmet = require("helmet");
let app2 = express(); // Compliant
app2.use(helmet.hidePoweredBy());