How do I fix info disclosure x powered by on Shopify?

Shopify's infrastructure automatically manages all HTTP response headers — store owners cannot directly modify server-level headers like X-Powered-By from the Shopify admin. Shopify does not expose X-Powered-By with sensitive stack information on standard storefronts; if a scanner flags this, verify whether it is coming from a third-party app, a custom Hydrogen/Oxygen headless front-end, or a connected external service. For Hydrogen (headless) storefronts deployed on Oxygen: open your Hydrogen project, locate server middleware or the entry server file, and add a response-header removal step (e.g., `response.headers.delete('x-powered-by')`) before sending the response. For third-party apps injecting the header, contact the app developer or disable the app if it poses a risk.

How to fix info disclosure x powered by on Shopify

Remove or mask the X-Powered-By HTTP response header to stop advertising your server technology stack to attackers.

Steps for Shopify

Shopify's infrastructure automatically manages all HTTP response headers — store owners cannot directly modify server-level headers like X-Powered-By from the Shopify admin.
Shopify does not expose X-Powered-By with sensitive stack information on standard storefronts; if a scanner flags this, verify whether it is coming from a third-party app, a custom Hydrogen/Oxygen headless front-end, or a connected external service.
For Hydrogen (headless) storefronts deployed on Oxygen: open your Hydrogen project, locate server middleware or the entry server file, and add a response-header removal step (e.g., `response.headers.delete('x-powered-by')`) before sending the response.
For third-party apps injecting the header, contact the app developer or disable the app if it poses a risk.

Official Shopify documentation ↗

# Nginx — strip X-Powered-By in server block
more_clear_headers 'X-Powered-By';

# Apache .htaccess — unset header
Header unset X-Powered-By

# PHP — suppress PHP version header
expose_php = Off          # php.ini
header_remove('X-Powered-By');  # PHP code

# Next.js — next.config.js
module.exports = {
  poweredByHeader: false,
};

What is info disclosure x powered by?

Every time someone visits your store, your web server sends back a set of "headers" — invisible metadata that browsers and tools can read. One of these, X-Powered-By, often announces exactly what software is running your site (e.g., "WP Engine", "PHP/8.1", "Express"). This header serves no useful purpose for your customers but acts like a neon sign telling attackers which known vulnerabilities to target. Removing or masking it is a simple hardening step that reduces your visible attack surface.

Attackers routinely scan millions of sites for this header and then cross-reference the disclosed technology with published CVE vulnerability databases — meaning an exposed X-Powered-By header can make your store a faster, easier target for automated exploits. While removing it doesn't fix underlying vulnerabilities, it raises the effort required to fingerprint your stack and is a baseline expectation in security audits and PCI-DSS compliance reviews. Failing this check can flag your store in penetration tests, risk assessments, and payment-processor security questionnaires, potentially affecting your ability to process cards. It is specifically called out under OWASP A05:2021 – Security Misconfiguration as an information-disclosure risk.

See the complete Info disclosure x powered by guide for every platform and the full background.

Not sure if your Shopify store has this?

Run a free SEOLZ audit — we’ll find info disclosure x powered by and every other issue across your whole site.

Scan my site free

How to fix info disclosure x powered by on Shopify

Steps for Shopify

What is info disclosure x powered by?

Not sure if your Shopify store has this?

Fix info disclosure x powered by on another platform