SEOLZ

Info disclosure x powered by

Quick win

Remove or mask the X-Powered-By HTTP response header to stop advertising your server technology stack to attackers.

What it is

Every time someone visits your store, your web server sends back a set of "headers" — invisible metadata that browsers and tools can read. One of these, X-Powered-By, often announces exactly what software is running your site (e.g., "WP Engine", "PHP/8.1", "Express"). This header serves no useful purpose for your customers but acts like a neon sign telling attackers which known vulnerabilities to target. Removing or masking it is a simple hardening step that reduces your visible attack surface.

Why it matters

Attackers routinely scan millions of sites for this header and then cross-reference the disclosed technology with published CVE vulnerability databases — meaning an exposed X-Powered-By header can make your store a faster, easier target for automated exploits. While removing it doesn't fix underlying vulnerabilities, it raises the effort required to fingerprint your stack and is a baseline expectation in security audits and PCI-DSS compliance reviews. Failing this check can flag your store in penetration tests, risk assessments, and payment-processor security questionnaires, potentially affecting your ability to process cards. It is specifically called out under OWASP A05:2021 – Security Misconfiguration as an information-disclosure risk.

How to fix it

  1. Audit your current headers by visiting your site URL in a tool like https://securityheaders.com or using browser DevTools (Network tab → click any request → inspect Response Headers) to confirm the X-Powered-By header is present.
  2. Identify where the header is being set: it may come from your hosting platform/CDN, your web server (Apache/Nginx), a PHP runtime, or a Node.js framework — sometimes multiple layers send it.
  3. Remove or suppress the header at the highest relevant layer (hosting control panel, server config, or application code) — see platform-specific steps below.
  4. If you cannot fully remove it (e.g., a managed host sets it), replace its value with a generic or empty string so it reveals nothing meaningful.
  5. Re-test with DevTools or securityheaders.com to confirm the header no longer appears (or now shows a non-informative value) in server responses.
  6. Repeat the check after any platform upgrade or plugin update, as updates can re-introduce the header.
# Nginx — strip X-Powered-By in server block
more_clear_headers 'X-Powered-By';

# Apache .htaccess — unset header
Header unset X-Powered-By

# PHP — suppress PHP version header
expose_php = Off          # php.ini
header_remove('X-Powered-By');  # PHP code

# Next.js — next.config.js
module.exports = {
  poweredByHeader: false,
};

Fix it on your platform

Pick your platform for the exact steps.

How to fix info disclosure x powered by on Shopify
  1. Shopify's infrastructure automatically manages all HTTP response headers — store owners cannot directly modify server-level headers like X-Powered-By from the Shopify admin.
  2. Shopify does not expose X-Powered-By with sensitive stack information on standard storefronts; if a scanner flags this, verify whether it is coming from a third-party app, a custom Hydrogen/Oxygen headless front-end, or a connected external service.
  3. For Hydrogen (headless) storefronts deployed on Oxygen: open your Hydrogen project, locate server middleware or the entry server file, and add a response-header removal step (e.g., `response.headers.delete('x-powered-by')`) before sending the response.
  4. For third-party apps injecting the header, contact the app developer or disable the app if it poses a risk.
Full Shopify guide →Official Shopify docs ↗
How to fix info disclosure x powered by on Shopify Plus
  1. Same as Shopify above. Shopify Plus merchants with custom Hydrogen storefronts on Oxygen should remove the header in their server middleware as described.
  2. If using a custom external front-end (e.g., Next.js on Vercel), apply the fix at the Next.js/Vercel layer — add `{ key: 'X-Powered-By', value: '' }` removal in next.config.js headers config, or use Vercel's Headers settings in the project dashboard under Settings → Headers.
Full Shopify Plus guide →Official Shopify Plus docs ↗
How to fix info disclosure x powered by on WooCommerce
  1. WooCommerce runs on WordPress + PHP, so the header typically comes from PHP or your host. The fix lives in your server config or a plugin.
  2. Option A — Plugin (no code): Install the free 'HTTP Headers' plugin (by Dimitar Ivanov) or 'Security Headers' plugin. In WordPress Admin → HTTP Headers (or Security Headers), find the X-Powered-By entry and set it to remove/suppress.
  3. Option B — PHP (wp-config.php or functions.php): Add `header_remove('X-Powered-By');` near the top of wp-config.php, or inside a must-use plugin file in /wp-content/mu-plugins/.
  4. Option C — Nginx server block: Add `more_clear_headers 'X-Powered-By';` (requires headers-more module) or handle it via your host's control panel (cPanel → Apache/Nginx configuration).
  5. Option D — Apache .htaccess: Add `Header unset X-Powered-By` (requires mod_headers). Place this in your root .htaccess file above the WordPress rewrite block.
  6. Verify with browser DevTools → Network tab after saving.
Full WooCommerce guide →Official WooCommerce docs ↗
How to fix info disclosure x powered by on WordPress.org
  1. Same stack as WooCommerce. Add `header_remove('X-Powered-By');` to wp-config.php, or use the 'HTTP Headers' or 'Solid Security' (formerly iThemes Security) plugin to suppress the header from the WordPress admin.
  2. In Solid Security: Admin → Solid Security → Settings → Server Config Tweaks — enable 'Remove File Writing Permissions' and review server header options.
  3. For Nginx hosting, work with your host to add `more_clear_headers 'X-Powered-By';` in the server block. For Apache, add `Header unset X-Powered-By` to .htaccess.
Full WordPress.org guide →Official WordPress.org docs ↗
How to fix info disclosure x powered by on BigCommerce
  1. BigCommerce is a fully managed SaaS platform; core HTTP response headers are controlled by BigCommerce's infrastructure and cannot be changed from the merchant admin.
  2. If X-Powered-By is flagged on a BigCommerce storefront, raise a support ticket with BigCommerce to request header suppression, or note it as a platform-level finding outside merchant control.
  3. If you use a custom headless front-end (e.g., Next.js via BigCommerce's headless channel), remove the header there: in next.config.js add a `headers()` async function returning `{ source: '/(.*)', headers: [{ key: 'X-Powered-By', value: '' }] }` and set `poweredByHeader: false`.
Full BigCommerce guide →Official BigCommerce docs ↗
How to fix info disclosure x powered by on Adobe Commerce (Magento)
  1. For Nginx: Edit your Magento Nginx server block config (typically at /etc/nginx/sites-available/magento or your server's vhost file). Add `more_clear_headers 'X-Powered-By';` inside the `server {}` block, then run `nginx -t && systemctl reload nginx`.
  2. For Apache: Open or create a .htaccess in your Magento web root. Add `Header unset X-Powered-By` (mod_headers must be enabled). Alternatively, set it in your VirtualHost config.
  3. For PHP-FPM: Edit php.ini (or a pool .conf file) and set `expose_php = Off` — this prevents PHP from adding its own X-Powered-By value.
  4. For Adobe Commerce Cloud (cloud.adobe.com): Add a custom Fastly VCL snippet via Admin → Stores → Configuration → Advanced → System → Full-Page Cache → Fastly Configuration → Custom VCL Snippets, with a `vcl_deliver` subroutine that calls `unset resp.http.X-Powered-By;`.
  5. Verify with: `curl -I https://yourstore.com | grep -i powered`
Full Adobe Commerce (Magento) guide →Official Adobe Commerce (Magento) docs ↗
How to fix info disclosure x powered by on Magento Open Source
  1. Follow the same Nginx/Apache/.htaccess and PHP expose_php steps as Adobe Commerce above.
  2. For shared hosting with cPanel: Go to cPanel → Software → MultiPHP INI Editor, select your PHP version, and set expose_php to Off.
Full Magento Open Source guide →Official Magento Open Source docs ↗
How to fix info disclosure x powered by on Wix
  1. Wix is a fully managed SaaS platform; HTTP response headers are set by Wix's infrastructure and cannot be changed from the site owner's dashboard.
  2. If a scanner flags X-Powered-By on a Wix site, this is a platform-level concern. Contact Wix Support to report it or note it as outside merchant control.
  3. If you use Wix Velo (custom backend code) with external APIs, ensure those API endpoints are hosted elsewhere with headers properly suppressed.
Full Wix guide →Official Wix docs ↗
How to fix info disclosure x powered by on Wix Studio
  1. Same as Wix above — Wix Studio sites run on Wix's managed infrastructure. HTTP headers cannot be configured by the site owner.
  2. For Wix Studio sites using Velo backend functions that proxy to external services, suppress X-Powered-By at the external service layer.
Full Wix Studio guide →Official Wix Studio docs ↗
How to fix info disclosure x powered by on Squarespace
  1. Squarespace is a fully managed SaaS platform; HTTP headers are controlled by Squarespace's infrastructure and cannot be modified by the site owner.
  2. If flagged, note this as a platform-level finding. Contact Squarespace Support to report the concern.
  3. If you have connected a custom external back-end or API, suppress the header at that service's server or CDN level.
Full Squarespace guide →Official Squarespace docs ↗
How to fix info disclosure x powered by on Webflow
  1. Webflow-hosted sites run on Webflow's managed CDN; site owners cannot configure raw HTTP response headers from the Webflow Designer or Editor.
  2. If you use Webflow's Logic or connect external services/webhooks, ensure those external endpoints suppress X-Powered-By at their own server or CDN layer.
  3. For sites exported from Webflow and self-hosted: configure header removal in your own web server (Nginx/Apache) or CDN (Cloudflare) as described in the generic steps.
Full Webflow guide →Official Webflow docs ↗
How to fix info disclosure x powered by on PrestaShop
  1. For Apache hosting: Add `Header unset X-Powered-By` to your PrestaShop root .htaccess file (mod_headers must be active).
  2. For Nginx hosting: Add `more_clear_headers 'X-Powered-By';` to the server block in your vhost config, then reload Nginx.
  3. In php.ini (or .user.ini in your web root): Set `expose_php = Off` to prevent PHP from emitting its version in this header.
  4. Alternatively, add `header_remove('X-Powered-By');` in /config/defines.inc.php or a custom override module.
Full PrestaShop guide →Official PrestaShop docs ↗
How to fix info disclosure x powered by on OpenCart
  1. Add `header_remove('X-Powered-By');` in OpenCart's index.php entry file (root of your installation) near the top, after the opening PHP tag.
  2. For Apache: Add `Header unset X-Powered-By` to your .htaccess file.
  3. For Nginx: Add `more_clear_headers 'X-Powered-By';` to your server block config.
  4. Set `expose_php = Off` in php.ini to stop PHP from injecting its version string.
Full OpenCart guide →Official OpenCart docs ↗
How to fix info disclosure x powered by on Next.js
  1. In next.config.js, set `poweredByHeader: false` at the root of the exported config object — this removes the 'X-Powered-By: Next.js' header automatically.
  2. To also remove headers set by the underlying Node/hosting layer, add an async `headers()` function in next.config.js returning a rule for all routes: `{ source: '/(.*)', headers: [{ key: 'X-Powered-By', value: '' }] }` — though setting to empty string is less effective than removal; prefer the poweredByHeader: false flag.
  3. If deploying on Vercel: Go to Vercel Dashboard → your project → Settings → Headers, and add a rule to remove X-Powered-By for all paths.
  4. Redeploy and verify with `curl -I https://yoursite.com | grep -i powered`.
Full Next.js guide →Official Next.js docs ↗
How to fix info disclosure x powered by on Nuxt.js
  1. In nuxt.config.ts/js, add a `routeRules` or `serverHandlers` entry, or use the `nitro.headers` config to remove the header: under `nitro: { routeRules: { '/**': { headers: { 'x-powered-by': '' } } } }`.
  2. For Nuxt 2 with Express server middleware: Add `app.disable('x-powered-by')` in your serverMiddleware.
  3. For deployments on a Node server, set `X_POWERED_BY=false` as an env var if supported, or apply an Nginx/Caddy reverse-proxy rule to strip the header before it reaches clients.
  4. Verify with browser DevTools or curl after deployment.
Full Nuxt.js guide →Official Nuxt.js docs ↗
How to fix info disclosure x powered by on Drupal
  1. In your sites/default/settings.php or a custom module's hook_boot(), call `header_remove('X-Powered-By');` or use `drupal_add_http_header('X-Powered-By', '');`
  2. Install the 'Security Kit' (seckit) module from drupal.org: Admin → Configuration → System → Security Kit — it provides options to strip information-disclosure headers.
  3. For Apache: Add `Header unset X-Powered-By` to your .htaccess or VirtualHost config.
  4. For Nginx: Add `more_clear_headers 'X-Powered-By';` to the server block.
Full Drupal guide →Official Drupal docs ↗
How to fix info disclosure x powered by on Ghost
  1. Ghost runs on Node.js/Express. In your Ghost installation's config.production.json or a custom Express middleware file, you can add app-level header removal.
  2. The most reliable approach for self-hosted Ghost is to configure your Nginx reverse proxy (the recommended Ghost setup uses Nginx in front): add `more_clear_headers 'X-Powered-By';` inside the `server {}` block of your Ghost Nginx config (usually at /etc/nginx/sites-available/your-ghost-site), then reload Nginx.
  3. For Ghost(Pro) managed hosting: this is outside owner control; contact Ghost support if flagged.
Full Ghost guide →Official Ghost docs ↗
How to fix info disclosure x powered by on Cloudflare (as CDN/proxy — applicable to any platform above)
  1. If your store's traffic passes through Cloudflare, you can strip the X-Powered-By header using a Cloudflare Transform Rule. Go to Cloudflare Dashboard → your domain → Rules → Transform Rules → Modify Response Header.
  2. Click 'Create rule', set Field = 'X-Powered-By', Operation = 'Remove', apply to all incoming requests, and save.
  3. This works regardless of your underlying platform and provides a network-level safety net.
Full Cloudflare (as CDN/proxy — applicable to any platform above) guide →

Does your site have this issue?

Run a free SEOLZ audit to find info disclosure x powered by — and every other issue — across your whole site in minutes.

Scan my site free

Frequently asked questions

What is Info disclosure x powered by?

Every time someone visits your store, your web server sends back a set of "headers" — invisible metadata that browsers and tools can read. One of these, X-Powered-By, often announces exactly what software is running your site (e.g., "WP Engine", "PHP/8.1", "Express"). This header serves no useful purpose for your customers but acts like a neon sign telling attackers which known vulnerabilities to target. Removing or masking it is a simple hardening step that reduces your visible attack surface.

Why does info disclosure x powered by matter?

Attackers routinely scan millions of sites for this header and then cross-reference the disclosed technology with published CVE vulnerability databases — meaning an exposed X-Powered-By header can make your store a faster, easier target for automated exploits. While removing it doesn't fix underlying vulnerabilities, it raises the effort required to fingerprint your stack and is a baseline expectation in security audits and PCI-DSS compliance reviews. Failing this check can flag your store in penetration tests, risk assessments, and payment-processor security questionnaires, potentially affecting your ability to process cards. It is specifically called out under OWASP A05:2021 – Security Misconfiguration as an information-disclosure risk.

How do I fix info disclosure x powered by?

Remove or mask the X-Powered-By HTTP response header to stop advertising your server technology stack to attackers.

Authoritative references

Related Security (OWASP) issues